Fix to mktorfw.sh in Tor Hacking Utilities Package
I've posted an updated version of my Tor hacking utilities. This is a collection of extremely simple scripts that I used for testing from an isolated Tor environment on Linux.
I haven't been actively maintaining this package, but a couple of weeks ago I received an email asking about some difficulties with 'mktorfw.sh' script. The script constructs a Linux iptables firewall based on the list of current Tor routers. It appears that the script hadn't been updated since late 2007 and was still expecting the list of Tor routers to be contained in '/var/lib/cached-routers'. It has been updated to read from '/var/lib/cached-descriptors'.
The 'mktorfw.sh' script can be used to create an extremely restrictive iptables Linux firewall. I found this very helpful when looking for applications that leak network traffic. Some applications don't properly respect proxy settings and can result in anonymity compromise. With this local firewall, any attempts by an application to connect out to a port that wasn't currently a Tor router endpoint was logged and dropped.
The script has two primary modes. The first reads the lists of routers and creates the firewall based on set of router addresses and ports as well as some other necessary rules. The second mode is an update mode that detects changes in the list of routers and updates the corresponding iptables rules.
For example, to create an initial firewall configuration where 'eth0' is the gateway interface:
./mktorfw.sh -i eth0
If there are additional local ports that should be allowed, these can specified as well:
./mktorfw.sh -d -i eth0 -l "4443,5553,5533:5539,5041"
As Tor routers come and go, the list of routers changes and the firewall needs to be updated to follow these changes. The simplest mechanism to accomplish this is to install the script in a root owned location:
install -m0755 mktorfw.sh libutiltor.sh /sbin
and, create a crontab entry to run the update frequently:
*/5 * * * * root /sbin/mktorfw.sh -u -i eth0
Note: the firewall rule-set created by this script was mainly for experimental, research purposes. If you are looking for strong anonymity, a firewall or VPN that transparently proxies your traffic is probably a better solution. The Noreply Wiki has information on a TheOnionRouter/TransparentProxy. Or, if you are on Windows, there is JanusVM.