hardcoresushi/TorVirt
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Disable IP forwarding

Browse Source
This commit is contained in:
Matéo Duparc 2024-09-04 23:03:43 +02:00
parent fd8c8c7763
commit 1aa5bb2bb7
Signed by: hardcoresushi
GPG Key ID: AFE384344A45E13A
2 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -1,7 +1,7 @@
# TorVirt # TorVirt
[Whonix](https://www.whonix.org)-like setup with a [libvirt](https://libvirt.org) workstation and a [podman](https://podman.io) container as the [Tor](https://torproject.org) gateway. [Whonix](https://www.whonix.org)-like setup with a [libvirt](https://libvirt.org) workstation and a [podman](https://podman.io) container as the [Tor](https://torproject.org) gateway.
![TorVirt illustration digram](images/diagram.svg) ![TorVirt illustration diagram](images/diagram.svg)
## What are the advantage of this project over original Whonix ? ## What are the advantage of this project over original Whonix ?
Whonix uses one VM for the workstation and another VM for the Tor gateway. This can be costly in terms of performance and resource usage. TorVirt improves on this by running the gateway in a lightweight container instead of a full VM. Whonix uses one VM for the workstation and another VM for the Tor gateway. This can be costly in terms of performance and resource usage. TorVirt improves on this by running the gateway in a lightweight container instead of a full VM.

15
torvirt
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
set -e set -euo pipefail
PROJECT_NAME="torvirt" PROJECT_NAME="torvirt"
CONTAINER_RT="podman" CONTAINER_RT="podman"
@ -24,7 +24,7 @@ ERROR_NOT_CONFIGURED=3
ERROR_ALREADY_RUNNING=4 ERROR_ALREADY_RUNNING=4
print_help() { print_help() {
echo -e "Usage: $0 <action> echo "Usage: $0 <action>
ACTIONS: ACTIONS:
c, configure Install dependencies, configure network and build gateway OCI image c, configure Install dependencies, configure network and build gateway OCI image
@ -33,7 +33,7 @@ ACTIONS:
} }
exit_with() { exit_with() {
echo $2 >&2 echo "$2" >&2
exit $1 exit $1
} }
@ -62,7 +62,7 @@ case $1 in
exit_with $ERROR_CANNOT_PRIVESC "Error: $PROJECT_NAME needs root access, but neither doas, sudo, pkexec nor su could be found." exit_with $ERROR_CANNOT_PRIVESC "Error: $PROJECT_NAME needs root access, but neither doas, sudo, pkexec nor su could be found."
fi fi
# check whether network and gateway have been configured # check whether network and gateway have been configured
if [ -z "$(virsh net-list --all | grep $NETWORK)" ]; then if ! virsh net-list --all | grep -q $NETWORK; then
exit_with $ERROR_NOT_CONFIGURED "Error: network $NETWORK not found. Did you run \"$PROJECT_NAME configure\" ?" exit_with $ERROR_NOT_CONFIGURED "Error: network $NETWORK not found. Did you run \"$PROJECT_NAME configure\" ?"
fi fi
output=$($CONTAINER_RT image ls -q -f reference=$IMG_NAME) output=$($CONTAINER_RT image ls -q -f reference=$IMG_NAME)
@ -79,11 +79,11 @@ case $1 in
fi fi
# start $NETWORK # start $NETWORK
network_started=$(virsh_get_field "Active") network_started=$(virsh_get_field "Active")
if [ $network_started = "no" ]; then if [ "$network_started" = "no" ]; then
virsh net-start $NETWORK virsh net-start $NETWORK
fi fi
# create gateway macvlan interface # create gateway macvlan interface
AS_ROOT ip link add $GW_IF link $(virsh_get_field "Bridge") type macvlan mode private AS_ROOT ip link add $GW_IF link "$(virsh_get_field "Bridge")" type macvlan mode private
# start gateway on wait.sh # start gateway on wait.sh
$CONTAINER_RT run --rm -itd --cap-drop=ALL --security-opt=no-new-privileges --name $GW_CONTAINER $IMG_NAME >/dev/null $CONTAINER_RT run --rm -itd --cap-drop=ALL --security-opt=no-new-privileges --name $GW_CONTAINER $IMG_NAME >/dev/null
pid=$($CONTAINER_RT inspect -f '{{.State.Pid}}' $GW_CONTAINER) pid=$($CONTAINER_RT inspect -f '{{.State.Pid}}' $GW_CONTAINER)
@ -98,6 +98,9 @@ case $1 in
AS_ROOT nsenter -t $pid -n iptables -t nat -A PREROUTING -i $GW_IF -p udp --dport $TOR_DNS_PORT -j REDIRECT --to-ports $TOR_DNS_PORT AS_ROOT nsenter -t $pid -n iptables -t nat -A PREROUTING -i $GW_IF -p udp --dport $TOR_DNS_PORT -j REDIRECT --to-ports $TOR_DNS_PORT
# redirect TCP to tor # redirect TCP to tor
AS_ROOT nsenter -t $pid -n iptables -t nat -A PREROUTING -i $GW_IF -p tcp --syn -j REDIRECT --to-ports $TOR_TRANS_PORT AS_ROOT nsenter -t $pid -n iptables -t nat -A PREROUTING -i $GW_IF -p tcp --syn -j REDIRECT --to-ports $TOR_TRANS_PORT
# disable IP forwarding to prevent leaking unhandled traffic
AS_ROOT nsenter -t $pid -n iptables -P FORWARD DROP
AS_ROOT nsenter -t $pid -n sysctl -q net.ipv4.ip_forward=0
# start tor # start tor
$CONTAINER_RT kill -s USR1 $GW_CONTAINER >/dev/null $CONTAINER_RT kill -s USR1 $GW_CONTAINER >/dev/null
$CONTAINER_RT attach $GW_CONTAINER $CONTAINER_RT attach $GW_CONTAINER