add tor-hardened-preferences to nonprism

1 files changed, 81 insertions, 0 deletions

diff --git a/nonprism/tor-hardened-preferences/tor-hardened-preferences.install b/nonprism/tor-hardened-preferences/tor-hardened-preferences.install
new file mode 100644
index 000000000..21c1d9f08
--- /dev/null
+++ b/nonprism/tor-hardened-preferences/tor-hardened-preferences.install
@@ -0,0 +1,81 @@
+pre_install() {
+	echo "Cleaning any old chroots before installing a new one..."
+	rm -rf /opt/torchroot
+}
+
+post_install() {
+	echo "Installing a new chroot ... "
+	/usr/bin/sh -c "/opt/tor-hardened-scripts/torchroot.sh"
+	wait
+	echo "Done!"
+	echo "====="
+	echo "To use this service please disable tor.service"
+	echo "then enable/start tor-hardened.service via systemctl."
+	echo "----"
+	echo "You may now use stream isolated ports for added security."
+	echo "Please configure your applications as follows:"
+	echo "Default Port: 9050"
+	echo "Mail Client isolated port: 9061"
+	echo "Browser isolated port: 9150"
+	echo "Other applications you want isolated: 9062"
+	echo "----"
+	echo "To use TOR as your DNS resolver:"
+	echo "Place ONLY this line into /etc/resolv.conf:"
+	echo "nameserver 127.0.0.1"
+	echo "Apply the following firewall rules:"
+	echo "iptables -t nat -A OUTPUT -p TCP --dport 53 -j DNAT --to-destination 127.0.0.1:9053"
+	echo "iptables -t nat -A OUTPUT -p UDP --dport 53 -j DNAT --to-destination 127.0.0.1:9053"
+	echo "----"
+	echo "To request new IP from TOR:"
+	echo "killall -HUP tor"
+	echo "---"
+	echo "Advanced usage, not recommended:"
+	echo "To torify ALL TCP traffic, you can use TorTransport without stream isolation:"
+	echo "iptables -t nat -A OUTPUT -p TCP -m owner ! --uid-owner tor -j DNAT --to-destination 127.0.0.1:9040"
+	echo "WARNING: UDP traffic may still leak! All traffic goes through single port. Apply additional iptables rules as you see fit."
+	echo "====="
+}
+
+post_upgrade() {
+	systemctl stop tor-hardened
+	echo "Cleaning old chroot and putting in a new one..."
+	rm -rf /opt/torchroot
+	wait
+	/usr/bin/sh -c "/opt/tor-hardened-scripts/torchroot.sh"
+	wait
+	echo "Done!"
+	echo "====="
+	echo "To use this service please disable tor.service"
+	echo "then enable/start tor-hardened.service via systemctl."
+	echo "----"
+	echo "You may now use stream isolated ports for added security."
+	echo "Please configure your applications as follows:"
+	echo "Default Port: 9050"
+	echo "Mail Client isolated port: 9061"
+	echo "Browser isolated port: 9150"
+	echo "Other applications you want isolated: 9062"
+	echo "----"
+	echo "To use TOR as your DNS resolver:"
+	echo "Place ONLY this line into /etc/resolv.conf:"
+	echo "nameserver 127.0.0.1"
+	echo "Apply the following firewall rules:"
+	echo "iptables -t nat -A OUTPUT -p TCP --dport 53 -j DNAT --to-destination 127.0.0.1:9053"
+	echo "iptables -t nat -A OUTPUT -p UDP --dport 53 -j DNAT --to-destination 127.0.0.1:9053"
+	echo "----"
+	echo "To request new IP from TOR:"
+	echo "killall -HUP tor"
+	echo "---"
+	echo "Advanced usage, not recommended:"
+	echo "To torify ALL TCP traffic, you can use TorTransport without stream isolation:"
+	echo "iptables -t nat -A OUTPUT -p TCP -m owner ! --uid-owner tor -j DNAT --to-destination 127.0.0.1:9040"
+	echo "WARNING: UDP traffic may still leak! All traffic goes through single port. Apply additional iptables rules as you see fit."
+	echo "====="
+	systemctl daemon-reload
+}
+
+post_remove() {
+	echo "Deleting chroot..."
+	rm -rf /opt/torchroot
+	wait
+	echo "Done!"
+}
\ No newline at end of file