Updated today: Thursday, November 17, 2011
Reason: Script should be near perfect, i.e. bulletproof and foolproof. If not? Then I’m only an email away. 😉
Republished again today: Wednesday, November 09, 2011 <– Thus qualifies as a *bump*
The MAIN reason.
The title also refers to making relays better accessible.
The simplest and best solution I can think of is: For you to visit their website https://www.torproject.org/ and read up on what Tor can and can not do for you!
When you’re convinced of the benefits of anonymous browsing, then…
Click on the Download Tor link, select your platform and be off on your merry way! 😆 Yes folks that is all there is to it.
But…
While the info above is useful for the above average tor user. I however felt the need to write out a script for those of us who wish to make an ‘advanced’ use of Tor’s capabilities while at the same time making sure that our Relay actually can be reached by those who need it the most!
‘Advanced‘ refers to being able to change your sources.list: in either Debian or Ubuntu and thus being able to either configure a relay in a graphical fashion or the manual “hard” way on your own.
I got my info from here and I wanted to simplify matters.
HowcanImakemyrelayaccessibletopeoplestuckbehindrestrictivefirewalls
Based on my platform of preference, this will only work for G.Linux but feel free to add your own (ask nicely and I’ll add it in.) This script can be used in conjunction with the iptables howto I wrote earlier. If NOT, then be sure to replace the ‘tobesortedout’ chain with ‘INPUT’ (default) or your own (if defined?).
Modified: Today (20 Nov. 2011) by E.L.F.
Reason: Completely rewritten and should proof to be satisfactory. If not!? 😉
The Port forwarding Script goes here:
Available as a Demo only, on this page.
#!/bin/bash
# Modified: Today by E.L.F.
#
## Licensed as:
## http://www.opensource.org/licenses/mit-license.php
#
## Script-name - Pf.Tor.sh
#
## Define some colors first:
RED="\033[0;31m"
BLUE="\033[1;34m"
CYAN="\033[1;36m"
YELLOW="\033[1;33m"
NC="\033[0m" # No Color
## --> Nice. Has the same effect as using "ansi.sys" in DOS.
set -e
#if [ ! "$USER" = root ];then
# echo -e ${RED}"\tError:${CYAN} \""$USER"\"${YELLOW} isn't allowed to use this script!"${NC};exit 0
#else
# echo -e ${BLUE}"\t"$USER" may proceed.\n\t${CYAN}May peace be with you."${NC}
# echo
#fi
clear
SCRIPT=$(basename "$0")
## Trying to be "standard compliant here".
if [ ! -f /etc/iptables.rules ]
then
echo -e ${YELLOW}"\tYou haven't created a firewall as per the author's instructions."${NC}
echo -e ${YELLOW}"\tPlease create the file mentioned or point this script to the right one."${NC}
echo -e ${YELLOW}"\tOr point this script to the one you use instead."${NC}
exit 0
else
echo
echo -e ${BLUE}"\tEverything's OK."${NC}
fi
clear
## It is always useful to know one's internal ipaddress.
echo -e "*-------------------------------${CYAN}${SCRIPT}${NC}----------------------------------*"
WAN=$(netstat -r -n | sed -e "s/^0\.0\.0\.0 *\([0-9.]*\).*/\1/p" -e d )
echo -e ${BLUE}"\tYour router's IP address is: "${NC}
echo -e ${CYAN}"\t$WAN"${NC}
LAN=$(ifconfig $(netstat -r -n | sed -e "s/^0\.0\.0\.0 *.* \([^ ]*\)/\1/p" -e d ) | sed -e 's/ *inet addr:\([0-9.]*\).*/\1/p' -e d )
echo -e ${BLUE}"\tYour IP address is: "${NC}
echo -e ${CYAN}"\t$LAN"${NC}
echo "*--------------------------------------------------------------------------*"
echo
MIN=2
MAX=4
if [ "$#" -eq "0" -o "$#" -eq "1" -o "$#" -eq "3" -o "$#" -gt "$MAX" ]
then echo -e ${YELLOW}"\tThe ${CYAN}"$SCRIPT"${YELLOW} script needs at least 2 and at most 4 options."${NC}
echo -e ${YELLOW}"\tUsage:${CYAN} "$SCRIPT" 443 9001${YELLOW} or ${CYAN}"$(basename "$0")" 443 9001 80 9030"${NC}
echo -e ${RED}"\tWARNING${YELLOW}: For any port chosen under 20 this script will${CYAN} EXIT${YELLOW}!"${NC}
exit 0
## Assume BOTH.
elif [ "$#" -eq "$MAX" ];then
if [[ "$1" =~ [^0-9]+ ]] || [[ "$2" =~ [^0-9]+ ]] || [[ "$3" =~ [^0-9]+ ]] || [[ "$4" =~ [^0-9]+ ]]
then echo -e ${YELLOW}"\tOnly numerical input is allowed.\n\tE.g.:${CYAN} 443 9001 80 9030"${NC};exit 0;fi
if [ "$1" -le 20 -o "$3" -le 20 ];then echo -e ${YELLOW}"\tPorts can't be less than 20!"${NC};exit 0;fi
if [ "$1" -ge 1025 -o "$2" -le 1024 -o "$3" -ge 1025 -o "$4" -le 1024 ];then exit 0
else [ "$1" -le 1024 -a "$2" -ge 1025 -a "$3" -le 1024 -a "$4" -ge 1025 ];fi
RELAY="$1";ORPORT="$2";DIR="$3";DIRPORT="$4";NODIR=NO
## Assume ORPORT only.
elif [ "$#" -eq "$MIN" ];then
if [[ "$1" =~ [^0-9]+ ]] || [[ "$2" =~ [^0-9]+ ]];then echo -e ${YELLOW}"\tOnly numerical input is allowed.\n\tE.g.:${CYAN} 443 9001"${NC};exit 0;fi
if [ "$1" -le 20 ];then echo -e ${YELLOW}"\tPorts can't be less than 20!"${NC};exit 0;fi
if [ "$1" -ge 1025 -o "$2" -le 1024 ];then exit 0;else [ "$1" -le 1024 -a "$2" -ge 1025 ];fi
RELAY="$1";ORPORT="$2";NODIR=YES
else
exit 0
fi
if [ "$NODIR" = YES ];then
echo -e ${CYAN}"iptables -I tobesortedout 3 -i eth0 -p tcp -m tcp --dport "$ORPORT" --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT --reject-with tcp-reset"${NC}
echo -e ${CYAN}"iptables -I tobesortedout 4 -i eth0 -p tcp -m tcp --dport "$ORPORT" -m state --state NEW -m limit --limit 20/sec --limit-burst 40 -j ACCEPT"${NC}
echo -e ${CYAN}"iptables -t nat -A PREROUTING -p tcp -d "$LAN" --dport "$RELAY" -j DNAT --to-destination "$LAN":"$ORPORT""${NC}
echo -e ${CYAN}"iptables -t nat -A OUTPUT -p tcp -d "$WAN" --dport "$RELAY" -j DNAT --to-destination "$LAN":"$ORPORT""${NC}
else [ "$NODIR" = NO ]
echo -e ${CYAN}"iptables -I tobesortedout 3 -i eth0 -p tcp -m tcp --dport "$ORPORT" --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT --reject-with tcp-reset"${NC}
echo -e ${CYAN}"iptables -I tobesortedout 4 -i eth0 -p tcp -m tcp --dport "$ORPORT" -m state --state NEW -m limit --limit 20/sec --limit-burst 40 -j ACCEPT"${NC}
echo -e ${CYAN}"iptables -t nat -A PREROUTING -p tcp -d "$LAN" --dport "$RELAY" -j DNAT --to-destination "$LAN":"$ORPORT""${NC}
echo -e ${CYAN}"iptables -t nat -A OUTPUT -p tcp -d "$WAN" --dport "$RELAY" -j DNAT --to-destination "$LAN":"$ORPORT""${NC}
echo -e ${CYAN}"iptables -I tobesortedout 5 -i eth0 -p tcp -m tcp --dport "$DIRPORT" --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT --reject-with tcp-reset"${NC}
echo -e ${CYAN}"iptables -I tobesortedout 6 -i eth0 -p tcp -m tcp --dport "$DIRPORT" -m state --state NEW -m limit --limit 20/sec --limit-burst 40 -j ACCEPT"${NC}
echo -e ${CYAN}"iptables -t nat -A PREROUTING -p tcp -d "$LAN" --dport "$DIR" -j DNAT --to-destination "$LAN":"$DIRPORT""${NC}
fi
exit 0
Usage: Only numerical input is allowed!
(Don’t choose a port under 20 it will make this script exit.)
## Usage: Only numerical input is allowed! ## Don't choose a port under 20 it will make this script exit. # Pf.tor.sh "relay" "orport" "dir" "dirport" # Standalone to see its usage. ./Pf.tor.sh # Or-port only. # Therefore only two arguments. ./Pf.tor.sh 443 9001 # Both Or and Dir-port # Therefore only four arguments. ./Pf.tor.sh 443 9001 80 9030 #
Now about those color definitions used in the script above:
(These start around line 10)
## For these colors to work either keep the next 5 lines. RED="\033[0;31m" BLUE="\033[1;34m" CYAN="\033[1;36m" YELLOW="\033[1;33m" NC="\033[0m" # No Color # ## OR... # ## Paste the following lines in your ~/.bashrc file for a more 'global feel'. ; - ) ## (At the bottom is recommended.) ## Do uncomment those first before resourcing your ~/.bashrc file. ; - ) ## http://tldp.org/LDP/abs/html/sample-bashrc.html ## Define some colors first: RED="\033[0;31m" export RED BLUE="\033[1;34m" export BLUE CYAN="\033[1;36m" export CYAN YELLOW="\033[1;33m" export YELLOW NC="\033[0m" # No Color export NC # --> Nice. Has the same effect as using "ansi.sys" in DOS. ## Don't forget to resource your bashrc file!
This script can easily be edited for other “port-forwarding” purposes of course (Which for now is to set up your iptables to function properly as a Tor Relay only.). And yes, you have to uncomment all featured commands for them to work.
Why? Because scripts that have to be run as root equals writing demos only to me! Or… you can take a look here for a live version. 😉
Please also note the “Pf.tor.sh.txt.asc” file. It means that you can verify that I made this script:
How?
gpg --verify Pf.tor.sh.txt.asc Pf.tor.sh.txt
But remember!
Despite my efforts to code properly!
(When in doubt always shout…) 😆
## What I've written: ## IS PROVIDED "AS IS", ## WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, ## INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ## FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. ## IN NO EVENT SHALL THE AUTHOR(S) OR COPYRIGHT HOLDER(S) ## BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, ## WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ## ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE ## OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ## For more: http://www.opensource.org/licenses/mit-license.php
See the gallery for a visual representation of the above mentioned script.
(Hiding my internal ip as I did NOT in these pictures, would merely constitute “a security through obscurity” trick.)
For a working example of what one could accomplish with this script, can be seen here.
Also I might or might not enhance my script even further by automatically adding/editing the appropriate stanzas in the ‘torrc‘ file. So one only has to run this script once, restart Tor and then be off with a good start. <– Maybe!?
BWB is: 
You must be logged in to post a comment.