Updated today: Thursday, November 17, 2011
Reason: Script should be near perfect, i.e. bulletproof and foolproof. If not? Then I’m only an email away. 😉
Republished again today: Wednesday, November 09, 2011 <– Thus qualifies as a *bump*
The MAIN reason.
The title also refers to making relays better accessible.
The simplest and best solution I can think of is: For you to visit their website https://www.torproject.org/ and read up on what Tor can and can not do for you!
When you’re convinced of the benefits of anonymous browsing, then…
Click on the Download Tor link, select your platform and be off on your merry way! 😆 Yes folks that is all there is to it.
But…
While the info above is useful for the above average tor user. I however felt the need to write out a script for those of us who wish to make an ‘advanced’ use of Tor’s capabilities while at the same time making sure that our Relay actually can be reached by those who need it the most!
‘Advanced‘ refers to being able to change your sources.list: in either Debian or Ubuntu and thus being able to either configure a relay in a graphical fashion or the manual “hard” way on your own.
I got my info from here and I wanted to simplify matters.
HowcanImakemyrelayaccessibletopeoplestuckbehindrestrictivefirewalls
Based on my platform of preference, this will only work for G.Linux but feel free to add your own (ask nicely and I’ll add it in.) This script can be used in conjunction with the iptables howto I wrote earlier. If NOT, then be sure to replace the ‘tobesortedout’ chain with ‘INPUT’ (default) or your own (if defined?).
Modified: Today (20 Nov. 2011) by E.L.F.
Reason: Completely rewritten and should proof to be satisfactory. If not!? 😉
The Port forwarding Script goes here:
Available as a Demo only, on this page.
#!/bin/bash # Modified: Today by E.L.F. # ## Licensed as: ## http://www.opensource.org/licenses/mit-license.php # ## Script-name - Pf.Tor.sh # ## Define some colors first: RED="\033[0;31m" BLUE="\033[1;34m" CYAN="\033[1;36m" YELLOW="\033[1;33m" NC="\033[0m" # No Color ## --> Nice. Has the same effect as using "ansi.sys" in DOS. set -e #if [ ! "$USER" = root ];then # echo -e ${RED}"\tError:${CYAN} \""$USER"\"${YELLOW} isn't allowed to use this script!"${NC};exit 0 #else # echo -e ${BLUE}"\t"$USER" may proceed.\n\t${CYAN}May peace be with you."${NC} # echo #fi clear SCRIPT=$(basename "$0") ## Trying to be "standard compliant here". if [ ! -f /etc/iptables.rules ] then echo -e ${YELLOW}"\tYou haven't created a firewall as per the author's instructions."${NC} echo -e ${YELLOW}"\tPlease create the file mentioned or point this script to the right one."${NC} echo -e ${YELLOW}"\tOr point this script to the one you use instead."${NC} exit 0 else echo echo -e ${BLUE}"\tEverything's OK."${NC} fi clear ## It is always useful to know one's internal ipaddress. echo -e "*-------------------------------${CYAN}${SCRIPT}${NC}----------------------------------*" WAN=$(netstat -r -n | sed -e "s/^0\.0\.0\.0 *\([0-9.]*\).*/\1/p" -e d ) echo -e ${BLUE}"\tYour router's IP address is: "${NC} echo -e ${CYAN}"\t$WAN"${NC} LAN=$(ifconfig $(netstat -r -n | sed -e "s/^0\.0\.0\.0 *.* \([^ ]*\)/\1/p" -e d ) | sed -e 's/ *inet addr:\([0-9.]*\).*/\1/p' -e d ) echo -e ${BLUE}"\tYour IP address is: "${NC} echo -e ${CYAN}"\t$LAN"${NC} echo "*--------------------------------------------------------------------------*" echo MIN=2 MAX=4 if [ "$#" -eq "0" -o "$#" -eq "1" -o "$#" -eq "3" -o "$#" -gt "$MAX" ] then echo -e ${YELLOW}"\tThe ${CYAN}"$SCRIPT"${YELLOW} script needs at least 2 and at most 4 options."${NC} echo -e ${YELLOW}"\tUsage:${CYAN} "$SCRIPT" 443 9001${YELLOW} or ${CYAN}"$(basename "$0")" 443 9001 80 9030"${NC} echo -e ${RED}"\tWARNING${YELLOW}: For any port chosen under 20 this script will${CYAN} EXIT${YELLOW}!"${NC} exit 0 ## Assume BOTH. elif [ "$#" -eq "$MAX" ];then if [[ "$1" =~ [^0-9]+ ]] || [[ "$2" =~ [^0-9]+ ]] || [[ "$3" =~ [^0-9]+ ]] || [[ "$4" =~ [^0-9]+ ]] then echo -e ${YELLOW}"\tOnly numerical input is allowed.\n\tE.g.:${CYAN} 443 9001 80 9030"${NC};exit 0;fi if [ "$1" -le 20 -o "$3" -le 20 ];then echo -e ${YELLOW}"\tPorts can't be less than 20!"${NC};exit 0;fi if [ "$1" -ge 1025 -o "$2" -le 1024 -o "$3" -ge 1025 -o "$4" -le 1024 ];then exit 0 else [ "$1" -le 1024 -a "$2" -ge 1025 -a "$3" -le 1024 -a "$4" -ge 1025 ];fi RELAY="$1";ORPORT="$2";DIR="$3";DIRPORT="$4";NODIR=NO ## Assume ORPORT only. elif [ "$#" -eq "$MIN" ];then if [[ "$1" =~ [^0-9]+ ]] || [[ "$2" =~ [^0-9]+ ]];then echo -e ${YELLOW}"\tOnly numerical input is allowed.\n\tE.g.:${CYAN} 443 9001"${NC};exit 0;fi if [ "$1" -le 20 ];then echo -e ${YELLOW}"\tPorts can't be less than 20!"${NC};exit 0;fi if [ "$1" -ge 1025 -o "$2" -le 1024 ];then exit 0;else [ "$1" -le 1024 -a "$2" -ge 1025 ];fi RELAY="$1";ORPORT="$2";NODIR=YES else exit 0 fi if [ "$NODIR" = YES ];then echo -e ${CYAN}"iptables -I tobesortedout 3 -i eth0 -p tcp -m tcp --dport "$ORPORT" --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT --reject-with tcp-reset"${NC} echo -e ${CYAN}"iptables -I tobesortedout 4 -i eth0 -p tcp -m tcp --dport "$ORPORT" -m state --state NEW -m limit --limit 20/sec --limit-burst 40 -j ACCEPT"${NC} echo -e ${CYAN}"iptables -t nat -A PREROUTING -p tcp -d "$LAN" --dport "$RELAY" -j DNAT --to-destination "$LAN":"$ORPORT""${NC} echo -e ${CYAN}"iptables -t nat -A OUTPUT -p tcp -d "$WAN" --dport "$RELAY" -j DNAT --to-destination "$LAN":"$ORPORT""${NC} else [ "$NODIR" = NO ] echo -e ${CYAN}"iptables -I tobesortedout 3 -i eth0 -p tcp -m tcp --dport "$ORPORT" --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT --reject-with tcp-reset"${NC} echo -e ${CYAN}"iptables -I tobesortedout 4 -i eth0 -p tcp -m tcp --dport "$ORPORT" -m state --state NEW -m limit --limit 20/sec --limit-burst 40 -j ACCEPT"${NC} echo -e ${CYAN}"iptables -t nat -A PREROUTING -p tcp -d "$LAN" --dport "$RELAY" -j DNAT --to-destination "$LAN":"$ORPORT""${NC} echo -e ${CYAN}"iptables -t nat -A OUTPUT -p tcp -d "$WAN" --dport "$RELAY" -j DNAT --to-destination "$LAN":"$ORPORT""${NC} echo -e ${CYAN}"iptables -I tobesortedout 5 -i eth0 -p tcp -m tcp --dport "$DIRPORT" --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT --reject-with tcp-reset"${NC} echo -e ${CYAN}"iptables -I tobesortedout 6 -i eth0 -p tcp -m tcp --dport "$DIRPORT" -m state --state NEW -m limit --limit 20/sec --limit-burst 40 -j ACCEPT"${NC} echo -e ${CYAN}"iptables -t nat -A PREROUTING -p tcp -d "$LAN" --dport "$DIR" -j DNAT --to-destination "$LAN":"$DIRPORT""${NC} fi exit 0
Usage: Only numerical input is allowed!
(Don’t choose a port under 20 it will make this script exit.)
## Usage: Only numerical input is allowed! ## Don't choose a port under 20 it will make this script exit. # Pf.tor.sh "relay" "orport" "dir" "dirport" # Standalone to see its usage. ./Pf.tor.sh # Or-port only. # Therefore only two arguments. ./Pf.tor.sh 443 9001 # Both Or and Dir-port # Therefore only four arguments. ./Pf.tor.sh 443 9001 80 9030 #
Now about those color definitions used in the script above:
(These start around line 10)
## For these colors to work either keep the next 5 lines. RED="\033[0;31m" BLUE="\033[1;34m" CYAN="\033[1;36m" YELLOW="\033[1;33m" NC="\033[0m" # No Color # ## OR... # ## Paste the following lines in your ~/.bashrc file for a more 'global feel'. ; - ) ## (At the bottom is recommended.) ## Do uncomment those first before resourcing your ~/.bashrc file. ; - ) ## http://tldp.org/LDP/abs/html/sample-bashrc.html ## Define some colors first: RED="\033[0;31m" export RED BLUE="\033[1;34m" export BLUE CYAN="\033[1;36m" export CYAN YELLOW="\033[1;33m" export YELLOW NC="\033[0m" # No Color export NC # --> Nice. Has the same effect as using "ansi.sys" in DOS. ## Don't forget to resource your bashrc file!
This script can easily be edited for other “port-forwarding” purposes of course (Which for now is to set up your iptables to function properly as a Tor Relay only.). And yes, you have to uncomment all featured commands for them to work.
Why? Because scripts that have to be run as root equals writing demos only to me! Or… you can take a look here for a live version. 😉
Please also note the “Pf.tor.sh.txt.asc” file. It means that you can verify that I made this script:
How?
gpg --verify Pf.tor.sh.txt.asc Pf.tor.sh.txt
But remember!
Despite my efforts to code properly!
(When in doubt always shout…) 😆
## What I've written: ## IS PROVIDED "AS IS", ## WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, ## INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ## FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. ## IN NO EVENT SHALL THE AUTHOR(S) OR COPYRIGHT HOLDER(S) ## BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, ## WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ## ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE ## OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ## For more: http://www.opensource.org/licenses/mit-license.php
See the gallery for a visual representation of the above mentioned script.
(Hiding my internal ip as I did NOT in these pictures, would merely constitute “a security through obscurity” trick.)
For a working example of what one could accomplish with this script, can be seen here.
Also I might or might not enhance my script even further by automatically adding/editing the appropriate stanzas in the ‘torrc‘ file. So one only has to run this script once, restart Tor and then be off with a good start. <– Maybe!?
I got this email from accessnow.org this evening.
———————————————————————————————————————————-|
Dear Alexander,
Wow! After 18 days of protests, the Egyptian dictator Hosni Mubarak has finally resigned! The scenes on the streets are euphoric!
Congratulations to all who have helped (in large and small ways) to make the Egyptian people’s dreams of an end to tyranny a reality. As another longtime Middle Eastern dictator falls from power in the wake of popular street protests, it is becoming increasingly difficult, if not impossible, to deny the power of social media in shaping political events.
But with the military now running the country, it is uncertain what level of digital freedom or online surveillance lies ahead. Thanks to hundreds of you, we set up three servers last week to help the Tor network enable the Egyptian people to communicate anonymously online. As we ramp those servers up to maximum capacity, we realize it’s time to add a few more. Greater server capacity will help ensure that the Egyptian protest movement stays secure until a true democratic government is put in place. If you would like to donate to this effort, please do so here: https://www.accessnow.org/page/contribute/Help-Egypt-with-tor
Finally, if you haven’t signed our global petition to stop the internet kill switch, please use the link below to sign — it’s the next big battle, and we need an internet uprising to stop it.
https://www.accessnow.org/page/s/stop-the-switch
With purpose,
The Access Team
P.S. The live stream vision from Al Jazeera is historic, and, of course, the Facebook page We are all Khalid Said is electric! View them both!
—-
Middle clicking on the link(s) opens the referred to page in a new tab.
LikeLike
Of course I’ll keep on contributing to the Tor network ever more!
http://torstatus.all.de/router_detail.php?FP=f3c91bfb36cda08458a52a5f687ee0868b6f46d5
LikeLike
Awesome post. Really enjoyed reading your blog posts.
LikeLike
kthanx! To bad though about ‘your’ referring url, ’cause I almost bought it… *NOT* 😆
LikeLike
I really like your site. Excellent content. Please continue posting such profound cotent.
LikeLike
Thanks!
LikeLike
Straight to the point and well written! Why can’t everyone else be like this?
LikeLike
“Why can’t everyone else be like this?”
Imagine that you’re standing in front of a painting. What do you see?
A. Perhaps you see a very interesting plane of gray or perhaps that same plane has a few shades of gray?
B. You see a colorful representation of never ending combinations with an infinite variety?
I prefer B! 😉
LikeLike
i love your blog, i have it in my rss reader and always like new things coming up from it.
LikeLike
Then I most certainly hope you’re going to love this:
As to quote from the email I just got from https://www.accessnow.org
It would seem that we have just won “round 1“, but as you look at the petition you’ll see that we’re only halfway there!
LikeLike