peci1/transparent-tor.diff

## transparent-tor.diff
diff -Nru @161/etc/config/resolver @/etc/config/resolver
--- @161/etc/config/resolver    2017-10-01 21:01:14.375423242 +0200
+++ @/etc/config/resolver       2017-11-02 01:13:47.862130135 +0100
@@ -21,6 +21,7 @@
        option log_stderr '1'
        option log_stdout '1'
        option forks '1'
+       option include_config '/etc/kresd/config.conf'

 config resolver 'unbound'
        option outgoing_range '60'
diff -Nru @161/etc/firewall.user @/etc/firewall.user
--- @161/etc/firewall.user      2017-05-17 01:57:14.366730659 +0200
+++ @/etc/firewall.user 2017-11-02 03:03:49.656837905 +0100
@@ -25,3 +25,8 @@
 iptables -A output_rule -o ppp3 -j ACCEPT

 iptables -I INPUT 1 -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
+
+# TOR .onion transparent routing
+iptables          -A input_rule -p tcp --dport 9040 -j ACCEPT /* TOR */
+iptables -t nat -A prerouting_rule -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040 /* TOR */
+iptables -t nat -A output_rule     -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040 /* TOR */
diff -Nru @161/etc/kresd/config.conf @/etc/kresd/config.conf
--- @161/etc/kresd/config.conf  1970-01-01 01:00:00.000000000 +0100
+++ @/etc/kresd/config.conf     2017-11-02 02:18:42.768523957 +0100
@@ -0,0 +1,4 @@
+-- enable transparent translation of Tor .onion domains
+local forward_rule = policy.add(policy.suffix(policy.STUB('127.0.0.1@5300'), policy.todnames({'onion'})))
+policy.del(forward_rule.id)
+table.insert(policy.rules, 1, forward_rule)
diff -Nru @161/etc/tor/torrc @/etc/tor/torrc
--- @161/etc/tor/torrc  2017-11-02 00:21:42.665535740 +0100
+++ @/etc/tor/torrc     2017-11-02 02:23:59.890625766 +0100
@@ -23,6 +23,7 @@
 ## all (and only) requests that reach a SOCKSPort. Untrusted users who
 ## can access your SOCKSPort may be able to learn about the connections
 ## you make.
+SOCKSPolicy accept 127.0.0.1/32
 SOCKSPolicy accept 192.168.18.0/24
 SOCKSPolicy accept6 FC00::/7
 SOCKSPolicy reject *

@@ -206,3 +207,9 @@
 #PublishServerDescriptor 0

 User tor
+
+## Support transparent routing of .onion addresses (the other part of config is in /etc/kresd/config.conf).
+DNSPort   127.0.0.1:5300
+VirtualAddrNetworkIPv4 10.192.0.0/10
+AutomapHostsOnResolve 1
+TransPort 9040
	diff -Nru @161/etc/config/resolver @/etc/config/resolver
	--- @161/etc/config/resolver 2017-10-01 21:01:14.375423242 +0200
	+++ @/etc/config/resolver 2017-11-02 01:13:47.862130135 +0100
	@@ -21,6 +21,7 @@
	option log_stderr '1'
	option log_stdout '1'
	option forks '1'
	+ option include_config '/etc/kresd/config.conf'

	config resolver 'unbound'
	option outgoing_range '60'
	diff -Nru @161/etc/firewall.user @/etc/firewall.user
	--- @161/etc/firewall.user 2017-05-17 01:57:14.366730659 +0200
	+++ @/etc/firewall.user 2017-11-02 03:03:49.656837905 +0100
	@@ -25,3 +25,8 @@
	iptables -A output_rule -o ppp3 -j ACCEPT

	iptables -I INPUT 1 -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
	+
	+# TOR .onion transparent routing
	+iptables -A input_rule -p tcp --dport 9040 -j ACCEPT /* TOR */
	+iptables -t nat -A prerouting_rule -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040 /* TOR */
	+iptables -t nat -A output_rule -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040 /* TOR */
	diff -Nru @161/etc/kresd/config.conf @/etc/kresd/config.conf
	--- @161/etc/kresd/config.conf 1970-01-01 01:00:00.000000000 +0100
	+++ @/etc/kresd/config.conf 2017-11-02 02:18:42.768523957 +0100
	@@ -0,0 +1,4 @@
	+-- enable transparent translation of Tor .onion domains
	+local forward_rule = policy.add(policy.suffix(policy.STUB('127.0.0.1@5300'), policy.todnames({'onion'})))
	+policy.del(forward_rule.id)
	+table.insert(policy.rules, 1, forward_rule)
	diff -Nru @161/etc/tor/torrc @/etc/tor/torrc
	--- @161/etc/tor/torrc 2017-11-02 00:21:42.665535740 +0100
	+++ @/etc/tor/torrc 2017-11-02 02:23:59.890625766 +0100
	@@ -23,6 +23,7 @@
	## all (and only) requests that reach a SOCKSPort. Untrusted users who
	## can access your SOCKSPort may be able to learn about the connections
	## you make.
	+SOCKSPolicy accept 127.0.0.1/32
	SOCKSPolicy accept 192.168.18.0/24
	SOCKSPolicy accept6 FC00::/7
	SOCKSPolicy reject *

	@@ -206,3 +207,9 @@
	#PublishServerDescriptor 0

	User tor
	+
	+## Support transparent routing of .onion addresses (the other part of config is in /etc/kresd/config.conf).
	+DNSPort 127.0.0.1:5300
	+VirtualAddrNetworkIPv4 10.192.0.0/10
	+AutomapHostsOnResolve 1
	+TransPort 9040