So you want to browse anonymously and help others to achieve the same goal!?


Updated today: Thursday, November 17, 2011
Reason: Script should be near perfect, i.e. bulletproof and foolproof. If not? Then I’m only an email away. 😉

Republished again today: Wednesday, November 09, 2011 <– Thus qualifies as a *bump*
The MAIN reason.

The title also refers to making relays better accessible.

The simplest and best solution I can think of is: For you to visit their website https://www.torproject.org/ and read up on what Tor can and can not do for you!

When you’re convinced of the benefits of anonymous browsing, then…

Click on the Download Tor link, select your platform and be off on your merry way! 😆 Yes folks that is all there is to it.


But

While the info above is useful for the above average tor user. I however felt the need to write out a script for those of us who wish to make an ‘advanced’ use of Tor’s capabilities while at the same time making sure that our Relay actually can be reached by those who need it the most!

Advanced‘ refers to being able to change your sources.list: in either Debian or Ubuntu and thus being able to either configure a relay in a graphical fashion or the manual “hard” way on your own.

I got my info from here and I wanted to simplify matters.
HowcanImakemyrelayaccessibletopeoplestuckbehindrestrictivefirewalls

Based on my platform of preference, this will only work for G.Linux but feel free to add your own (ask nicely and I’ll add it in.) This script can be used in conjunction with the iptables howto I wrote earlier. If NOT, then be sure to replace the ‘tobesortedout’ chain with ‘INPUT’ (default) or your own (if defined?).

Modified: Today (20 Nov. 2011) by E.L.F.
Reason: Completely rewritten and should proof to be satisfactory. If not!? 😉

The Port forwarding Script goes here:
Available as a Demo only, on this page.

#!/bin/bash
# Modified: Today by E.L.F.
#
## Licensed as:
## http://www.opensource.org/licenses/mit-license.php
#
## Script-name - Pf.Tor.sh
#
## Define some colors first:
RED="\033[0;31m"
BLUE="\033[1;34m"
CYAN="\033[1;36m"
YELLOW="\033[1;33m"
NC="\033[0m" # No Color
## --> Nice. Has the same effect as using "ansi.sys" in DOS.
set -e
#if [ ! "$USER" = root ];then
#  echo -e ${RED}"\tError:${CYAN} \""$USER"\"${YELLOW} isn't allowed to use this script!"${NC};exit 0
#else
#  echo -e ${BLUE}"\t"$USER" may proceed.\n\t${CYAN}May peace be with you."${NC}
#  echo
#fi
clear
SCRIPT=$(basename "$0")
## Trying to be "standard compliant here".
if [ ! -f /etc/iptables.rules ]
then
echo -e ${YELLOW}"\tYou haven't created a firewall as per the author's instructions."${NC}
echo -e ${YELLOW}"\tPlease create the file mentioned or point this script to the right one."${NC}
echo -e ${YELLOW}"\tOr point this script to the one you use instead."${NC}
exit 0
else
echo
echo -e ${BLUE}"\tEverything's OK."${NC}
fi
clear
## It is always useful to know one's internal ipaddress.
echo -e "*-------------------------------${CYAN}${SCRIPT}${NC}----------------------------------*"
WAN=$(netstat -r -n | sed -e "s/^0\.0\.0\.0 *\([0-9.]*\).*/\1/p" -e d )
echo -e ${BLUE}"\tYour router's IP address is: "${NC}
echo -e ${CYAN}"\t$WAN"${NC}
LAN=$(ifconfig $(netstat -r -n | sed -e "s/^0\.0\.0\.0 *.* \([^ ]*\)/\1/p" -e d ) | sed -e 's/ *inet addr:\([0-9.]*\).*/\1/p' -e d )
echo -e ${BLUE}"\tYour IP address is: "${NC}
echo -e ${CYAN}"\t$LAN"${NC}
echo "*--------------------------------------------------------------------------*"
echo
MIN=2
MAX=4
if [ "$#" -eq "0" -o "$#" -eq "1" -o "$#" -eq "3" -o "$#" -gt "$MAX" ]
  then echo -e ${YELLOW}"\tThe ${CYAN}"$SCRIPT"${YELLOW} script needs at least 2 and at most 4 options."${NC}
  echo -e ${YELLOW}"\tUsage:${CYAN} "$SCRIPT" 443 9001${YELLOW} or ${CYAN}"$(basename "$0")" 443 9001 80 9030"${NC}
  echo -e ${RED}"\tWARNING${YELLOW}: For any port chosen under 20 this script will${CYAN} EXIT${YELLOW}!"${NC}
  exit 0
## Assume BOTH.
elif [ "$#" -eq "$MAX" ];then
  if [[ "$1" =~ [^0-9]+ ]] || [[ "$2" =~ [^0-9]+ ]] || [[ "$3" =~ [^0-9]+ ]] || [[ "$4" =~ [^0-9]+ ]]
  then echo -e ${YELLOW}"\tOnly numerical input is allowed.\n\tE.g.:${CYAN} 443 9001 80 9030"${NC};exit 0;fi
  if [ "$1" -le 20 -o "$3" -le 20 ];then echo -e ${YELLOW}"\tPorts can't be less than 20!"${NC};exit 0;fi
  if [ "$1" -ge 1025 -o "$2" -le 1024 -o "$3" -ge 1025 -o "$4" -le 1024 ];then exit 0
  else [ "$1" -le 1024 -a "$2" -ge 1025 -a "$3" -le 1024 -a "$4" -ge 1025 ];fi
  RELAY="$1";ORPORT="$2";DIR="$3";DIRPORT="$4";NODIR=NO
## Assume ORPORT only.
elif [ "$#" -eq "$MIN" ];then
  if [[ "$1" =~ [^0-9]+ ]] || [[ "$2" =~ [^0-9]+ ]];then echo -e ${YELLOW}"\tOnly numerical input is allowed.\n\tE.g.:${CYAN} 443 9001"${NC};exit 0;fi
  if [ "$1" -le 20 ];then echo -e ${YELLOW}"\tPorts can't be less than 20!"${NC};exit 0;fi
  if [ "$1" -ge 1025 -o "$2" -le 1024 ];then exit 0;else [ "$1" -le 1024 -a "$2" -ge 1025 ];fi
  RELAY="$1";ORPORT="$2";NODIR=YES
else
  exit 0
fi
if [ "$NODIR" = YES ];then
  echo -e ${CYAN}"iptables -I tobesortedout 3 -i eth0 -p tcp -m tcp --dport "$ORPORT" --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT --reject-with tcp-reset"${NC}
  echo -e ${CYAN}"iptables -I tobesortedout 4 -i eth0 -p tcp -m tcp --dport "$ORPORT" -m state --state NEW -m limit --limit 20/sec --limit-burst 40 -j ACCEPT"${NC}
  echo -e ${CYAN}"iptables -t nat -A PREROUTING -p tcp -d "$LAN" --dport "$RELAY" -j DNAT --to-destination "$LAN":"$ORPORT""${NC}
  echo -e ${CYAN}"iptables -t nat -A OUTPUT -p tcp -d "$WAN" --dport "$RELAY" -j DNAT --to-destination "$LAN":"$ORPORT""${NC}
else [ "$NODIR" = NO ]
  echo -e ${CYAN}"iptables -I tobesortedout 3 -i eth0 -p tcp -m tcp --dport "$ORPORT" --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT --reject-with tcp-reset"${NC}
  echo -e ${CYAN}"iptables -I tobesortedout 4 -i eth0 -p tcp -m tcp --dport "$ORPORT" -m state --state NEW -m limit --limit 20/sec --limit-burst 40 -j ACCEPT"${NC}
  echo -e ${CYAN}"iptables -t nat -A PREROUTING -p tcp -d "$LAN" --dport "$RELAY" -j DNAT --to-destination "$LAN":"$ORPORT""${NC}
  echo -e ${CYAN}"iptables -t nat -A OUTPUT -p tcp -d "$WAN" --dport "$RELAY" -j DNAT --to-destination "$LAN":"$ORPORT""${NC}
  echo -e ${CYAN}"iptables -I tobesortedout 5 -i eth0 -p tcp -m tcp --dport "$DIRPORT" --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT --reject-with tcp-reset"${NC}
  echo -e ${CYAN}"iptables -I tobesortedout 6 -i eth0 -p tcp -m tcp --dport "$DIRPORT" -m state --state NEW -m limit --limit 20/sec --limit-burst 40 -j ACCEPT"${NC}
  echo -e ${CYAN}"iptables -t nat -A PREROUTING -p tcp -d "$LAN" --dport "$DIR" -j DNAT --to-destination "$LAN":"$DIRPORT""${NC}
fi
exit 0

Usage: Only numerical input is allowed!
(Don’t choose a port under 20 it will make this script exit.)

## Usage: Only numerical input is allowed!
## Don't choose a port under 20 it will make this script exit.
# Pf.tor.sh "relay" "orport" "dir" "dirport"
# Standalone to see its usage.
./Pf.tor.sh
# Or-port only.
# Therefore only two arguments.
./Pf.tor.sh 443 9001
# Both Or and Dir-port
# Therefore only four arguments.
./Pf.tor.sh 443 9001 80 9030
#

Now about those color definitions used in the script above:
(These start around line 10)

## For these colors to work either keep the next 5 lines.
RED="\033[0;31m"
BLUE="\033[1;34m"
CYAN="\033[1;36m"
YELLOW="\033[1;33m"
NC="\033[0m"              # No Color
#
## OR...
#
## Paste the following lines in your ~/.bashrc file for a more 'global feel'. ; - )
## (At the bottom is recommended.)
## Do uncomment those first before resourcing your ~/.bashrc file. ; - )
## http://tldp.org/LDP/abs/html/sample-bashrc.html
## Define some colors first:
RED="\033[0;31m"
export RED
BLUE="\033[1;34m"
export BLUE
CYAN="\033[1;36m"
export CYAN
YELLOW="\033[1;33m"
export YELLOW
NC="\033[0m"              # No Color
export NC
# --> Nice. Has the same effect as using "ansi.sys" in DOS.
## Don't forget to resource your bashrc file!

This script can easily be edited for other “port-forwarding” purposes of course (Which for now is to set up your iptables to function properly as a Tor Relay only.). And yes, you have to uncomment all featured commands for them to work.

Why? Because scripts that have to be run as root equals writing demos only to me! Or… you can take a look here for a live version. 😉

Please also note the “Pf.tor.sh.txt.asc” file. It means that you can verify that I made this script:

How?

gpg --verify Pf.tor.sh.txt.asc Pf.tor.sh.txt

But remember!
Despite my efforts to code properly!
(When in doubt always shout…) 😆

## What I've written:
## IS PROVIDED "AS IS",
## WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
## INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
## FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
## IN NO EVENT SHALL THE AUTHOR(S) OR COPYRIGHT HOLDER(S)
## BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
## WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
## ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
## OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
## For more: http://www.opensource.org/licenses/mit-license.php

See the gallery for a visual representation of the above mentioned script.
(Hiding my internal ip as I did NOT in these pictures, would merely constitute “a security through obscurity” trick.)

For a working example of what one could accomplish with this script, can be seen here.

Also I might or might not enhance my script even further by automatically adding/editing the appropriate stanzas in the ‘torrc‘ file. So one only has to run this script once, restart Tor and then be off with a good start. <– Maybe!?

10 thoughts on “So you want to browse anonymously and help others to achieve the same goal!?

  1. I got this email from accessnow.org this evening.
    ———————————————————————————————————————————-|
    Dear Alexander,

    Wow! After 18 days of protests, the Egyptian dictator Hosni Mubarak has finally resigned! The scenes on the streets are euphoric!

    Congratulations to all who have helped (in large and small ways) to make the Egyptian people’s dreams of an end to tyranny a reality. As another longtime Middle Eastern dictator falls from power in the wake of popular street protests, it is becoming increasingly difficult, if not impossible, to deny the power of social media in shaping political events.

    But with the military now running the country, it is uncertain what level of digital freedom or online surveillance lies ahead. Thanks to hundreds of you, we set up three servers last week to help the Tor network enable the Egyptian people to communicate anonymously online. As we ramp those servers up to maximum capacity, we realize it’s time to add a few more. Greater server capacity will help ensure that the Egyptian protest movement stays secure until a true democratic government is put in place. If you would like to donate to this effort, please do so here: https://www.accessnow.org/page/contribute/Help-Egypt-with-tor

    Finally, if you haven’t signed our global petition to stop the internet kill switch, please use the link below to sign — it’s the next big battle, and we need an internet uprising to stop it.

    https://www.accessnow.org/page/s/stop-the-switch

    With purpose,
    The Access Team

    P.S. The live stream vision from Al Jazeera is historic, and, of course, the Facebook page We are all Khalid Said is electric! View them both!

    —-

    Middle clicking on the link(s) opens the referred to page in a new tab.

    Like

  2. I really like your site. Excellent content. Please continue posting such profound cotent.

    Like

    • “Why can’t everyone else be like this?”

      Imagine that you’re standing in front of a painting. What do you see?
      A. Perhaps you see a very interesting plane of gray or perhaps that same plane has a few shades of gray?
      B. You see a colorful representation of never ending combinations with an infinite variety?

      I prefer B! 😉

      Like

    • Then I most certainly hope you’re going to love this:

      US & EU comps make 80-90% of surveillance tech. Sign @accessnow petition calling on govts 2 stop sale 2 regimes. http://t.co/NqACyzmv

      As to quote from the email I just got from https://www.accessnow.org

      “We did it! The new Syrian surveillance system will not go ahead. After global pressure, including over 10,000 of us who demanded that Area, NetApp, Qosmos, and Utimaco end their involvement in building this new system, the main player Area just announced it would drop out and halt the construction of this possibly deadly project. But we won’t stop here!”

      It would seem that we have just won “round 1“, but as you look at the petition you’ll see that we’re only halfway there!

      Like

Comments are closed.