meejah/setup-tor-vm.py

## setup-tor-vm.py
#!/usr/bin/env python

##
## this will set up a VDE switch which has a tap interface (tap_tor)
## which is also set up by this script. This tap interface has all its
## data pushed out through tor (or dropped, if it's UDP and not port
## 53) via some iptables rules. probably you need to run this as
## root. when the VM shuts down, the processes started here are killed
## as well.
##
## WARNING: all nat iptables rules are deleted by this script!
## (see near the bottom)
##
## your vm image is going to need something like this in
## /etc/network/interfaces (presuming it's debian and has an eth0
## network device):
##
##    iface eth0 inet static
##    address 10.0.0.5
##    netmask 255.255.255.0
##    gateway 10.0.0.210
##

import subprocess
import os
import time
import sys

## "config" such as it is

uplink_ip = "10.0.0.210"
tap_name = 'tap_tor'
tor_rc = '/tmp/torrc'
switch_name = '/tmp/vde_switch_tor'
vm_image = '/home/mike/src/vmbuilder/lemuria-debian-lenny-kvm/disk0.qcow2'


##
## VDE switch
##

vdeswitch = subprocess.Popen(['vde_switch', '-s', switch_name, '-tap', tap_name])
print "Started vde_switch at PID",vdeswitch.pid,"with control socket",switch_name

time.sleep(1)

##
## TAP interface
##

print "Bringing up",tap_name,"on",uplink_ip
if os.system("ifconfig %s %s up" % (tap_name,uplink_ip)):
    vdeswitch.kill()
    print "error, killed vde_switch"
    sys.exit(-1)

##
## separate TOR instance for our traffic
##

open(tor_rc,'w').write("""
    ## tor seems to always want to start a SOCKS listener; 9050 is the default port
    SocksPort 9055
    SocksListenAddress 10.0.0.210

    ## don't need this, but good for getting info while it's running
    ## (default is 9051)
    ControlPort 9056
    HashedControlPassword 16:F224C256D983050B606E28C6C416BF879A3DE3E51CEC687C9DFDE6C94C

    # possibly not needed for this example but this allows
    # .onion and .exit routes to "just work"
    AutomapHostsOnResolve 1

    # this is where we'll send TCP traffic for proxying
    TransPort 9040
    TransListenAddress 10.0.0.210

    # just DNS requests will be sent here
    DNSPort 9053
    DNSListenAddress 10.0.0.210

    ## flesh out a few more options for a full config
    Log notice stderr
    RunAsDaemon 0
    DataDirectory /home/mike/src/virtual-machines/tor
""")
## may need to change the owner if you're not on debian
os.system('mkdir /home/mike/src/virtual-machines/tor')
os.system('chown debian-tor /home/mike/src/virtual-machines/tor')

tor = subprocess.Popen(['tor', '-f', tor_rc, '--quiet'])
print "Started tor at PID",tor.pid,"with",tor_rc,"for config"

##
## use iptables to forward all TAP traffic to Tor
##

for x in ['iptables -t nat -F',
          'iptables -t nat -A PREROUTING -i %s -p udp --dport 53 -j REDIRECT --to-ports 9053' % tap_name,
          'iptables -t nat -A PREROUTING -i %s -p tcp --syn -j REDIRECT --to-ports 9040' % tap_name]:
    print x
    os.system(x)


##
## now just start the VM
##

vm = subprocess.Popen(['kvm',
                       '-vga',
                       'std',
                       '-net', 'nic,macaddr=12:34:56:aa:bb:cc',
                       '-net', 'vde,sock=%s'%switch_name,
                       '-m', '128',
                       '-smp', '1',
                       '-drive', 'file=%s'%vm_image])

vm.wait()
print "VM exited..."

print "killing tor"
tor.kill()
print "killing vde switch"
vdeswitch.kill()
	#!/usr/bin/env python

	##
	## this will set up a VDE switch which has a tap interface (tap_tor)
	## which is also set up by this script. This tap interface has all its
	## data pushed out through tor (or dropped, if it's UDP and not port
	## 53) via some iptables rules. probably you need to run this as
	## root. when the VM shuts down, the processes started here are killed
	## as well.
	##
	## WARNING: all nat iptables rules are deleted by this script!
	## (see near the bottom)
	##
	## your vm image is going to need something like this in
	## /etc/network/interfaces (presuming it's debian and has an eth0
	## network device):
	##
	## iface eth0 inet static
	## address 10.0.0.5
	## netmask 255.255.255.0
	## gateway 10.0.0.210
	##

	import subprocess
	import os
	import time
	import sys

	## "config" such as it is

	uplink_ip = "10.0.0.210"
	tap_name = 'tap_tor'
	tor_rc = '/tmp/torrc'
	switch_name = '/tmp/vde_switch_tor'
	vm_image = '/home/mike/src/vmbuilder/lemuria-debian-lenny-kvm/disk0.qcow2'


	##
	## VDE switch
	##

	vdeswitch = subprocess.Popen(['vde_switch', '-s', switch_name, '-tap', tap_name])
	print "Started vde_switch at PID",vdeswitch.pid,"with control socket",switch_name

	time.sleep(1)

	##
	## TAP interface
	##

	print "Bringing up",tap_name,"on",uplink_ip
	if os.system("ifconfig %s %s up" % (tap_name,uplink_ip)):
	vdeswitch.kill()
	print "error, killed vde_switch"
	sys.exit(-1)

	##
	## separate TOR instance for our traffic
	##

	open(tor_rc,'w').write("""
	## tor seems to always want to start a SOCKS listener; 9050 is the default port
	SocksPort 9055
	SocksListenAddress 10.0.0.210

	## don't need this, but good for getting info while it's running
	## (default is 9051)
	ControlPort 9056
	HashedControlPassword 16:F224C256D983050B606E28C6C416BF879A3DE3E51CEC687C9DFDE6C94C

	# possibly not needed for this example but this allows
	# .onion and .exit routes to "just work"
	AutomapHostsOnResolve 1

	# this is where we'll send TCP traffic for proxying
	TransPort 9040
	TransListenAddress 10.0.0.210

	# just DNS requests will be sent here
	DNSPort 9053
	DNSListenAddress 10.0.0.210

	## flesh out a few more options for a full config
	Log notice stderr
	RunAsDaemon 0
	DataDirectory /home/mike/src/virtual-machines/tor
	""")
	## may need to change the owner if you're not on debian
	os.system('mkdir /home/mike/src/virtual-machines/tor')
	os.system('chown debian-tor /home/mike/src/virtual-machines/tor')

	tor = subprocess.Popen(['tor', '-f', tor_rc, '--quiet'])
	print "Started tor at PID",tor.pid,"with",tor_rc,"for config"

	##
	## use iptables to forward all TAP traffic to Tor
	##

	for x in ['iptables -t nat -F',
	'iptables -t nat -A PREROUTING -i %s -p udp --dport 53 -j REDIRECT --to-ports 9053' % tap_name,
	'iptables -t nat -A PREROUTING -i %s -p tcp --syn -j REDIRECT --to-ports 9040' % tap_name]:
	print x
	os.system(x)


	##
	## now just start the VM
	##

	vm = subprocess.Popen(['kvm',
	'-vga',
	'std',
	'-net', 'nic,macaddr=12:34:56:aa:bb:cc',
	'-net', 'vde,sock=%s'%switch_name,
	'-m', '128',
	'-smp', '1',
	'-drive', 'file=%s'%vm_image])

	vm.wait()
	print "VM exited..."

	print "killing tor"
	tor.kill()
	print "killing vde switch"
	vdeswitch.kill()