Route all the trafic using iptables nat in linux

Question

I'd like to route all the trafic through iptables NAT in linux, I'd like to route all the traffic through TOR.

My script is accepting only TCP and UDP protocols, but I need to route all the protocols through NAT.

And I need to allow send invalid packets.

Here is my bash script:

#!/bin/bash

# flush iptables
iptables -F
iptables -t nat -F

# Tor's UID
TOR_UID="debian-tor"

# Tor's TransPort
TOR_PORT="9040"

# Destinations you don't want routed through Tor
TOR_EXCLUDE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"

cp /etc/resolv.conf /etc/resolv.conf.bak
touch /etc/resolv.conf
echo -e 'nameserver 127.0.0.1\nnameserver 92.222.97.144\nnameserver 92.222.97.145' > /etc/resolv.conf
echo -e " $GREEN*$BLUE Modified resolv.conf to use Tor and FrozenDNS"

# set iptables nat
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A OUTPUT -p tcp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 53

#resolve .onion domains mapping 10.192.0.0/10 address space
iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040

#exclude local addresses
for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do
    iptables -t nat -A OUTPUT -d $NET -j RETURN
done

#redirect all other output through TOR
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT
iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT
iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT

#accept already established connections
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#exclude local addresses
for NET in $TOR_EXCLUDE 127.0.0.0/8; do
    iptables -A OUTPUT -d $NET -j ACCEPT
done

#allow only tor output
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT

For example, if I use nmap network scanner, it simply not working because it use other protocols and send invalid packets to the target. But with proxychains it is possible to make it work though the TOR network, but only not in multi-thread asynchronous mode, and it still sends some packets not through the proxychains, so it is not the case.

Could anyone help to make things work

You can't send invalid packets through Tor. Its design does not allow it. — Michael Hampton, Apr 15 '16 at 19:26
And, see [here](http://serverfault.com/q/434008/126632) for a working sample configuration. — Michael Hampton, Apr 15 '16 at 19:28
Thanks for the answer, I have tried your solution, but ping is not working, dns resolution is not working too, and finally, when using nmap network scanner, it show all ports are filtered but it's not true. Any suggestions? — Sebastian Rockefeller, Apr 15 '16 at 20:27

Route all the trafic using iptables nat in linux

0 Answers0