blob: 21c1d9f08a0e9410be8bfac45ae1c713360837d8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
pre_install() {
echo "Cleaning any old chroots before installing a new one..."
rm -rf /opt/torchroot
}
post_install() {
echo "Installing a new chroot ... "
/usr/bin/sh -c "/opt/tor-hardened-scripts/torchroot.sh"
wait
echo "Done!"
echo "====="
echo "To use this service please disable tor.service"
echo "then enable/start tor-hardened.service via systemctl."
echo "----"
echo "You may now use stream isolated ports for added security."
echo "Please configure your applications as follows:"
echo "Default Port: 9050"
echo "Mail Client isolated port: 9061"
echo "Browser isolated port: 9150"
echo "Other applications you want isolated: 9062"
echo "----"
echo "To use TOR as your DNS resolver:"
echo "Place ONLY this line into /etc/resolv.conf:"
echo "nameserver 127.0.0.1"
echo "Apply the following firewall rules:"
echo "iptables -t nat -A OUTPUT -p TCP --dport 53 -j DNAT --to-destination 127.0.0.1:9053"
echo "iptables -t nat -A OUTPUT -p UDP --dport 53 -j DNAT --to-destination 127.0.0.1:9053"
echo "----"
echo "To request new IP from TOR:"
echo "killall -HUP tor"
echo "---"
echo "Advanced usage, not recommended:"
echo "To torify ALL TCP traffic, you can use TorTransport without stream isolation:"
echo "iptables -t nat -A OUTPUT -p TCP -m owner ! --uid-owner tor -j DNAT --to-destination 127.0.0.1:9040"
echo "WARNING: UDP traffic may still leak! All traffic goes through single port. Apply additional iptables rules as you see fit."
echo "====="
}
post_upgrade() {
systemctl stop tor-hardened
echo "Cleaning old chroot and putting in a new one..."
rm -rf /opt/torchroot
wait
/usr/bin/sh -c "/opt/tor-hardened-scripts/torchroot.sh"
wait
echo "Done!"
echo "====="
echo "To use this service please disable tor.service"
echo "then enable/start tor-hardened.service via systemctl."
echo "----"
echo "You may now use stream isolated ports for added security."
echo "Please configure your applications as follows:"
echo "Default Port: 9050"
echo "Mail Client isolated port: 9061"
echo "Browser isolated port: 9150"
echo "Other applications you want isolated: 9062"
echo "----"
echo "To use TOR as your DNS resolver:"
echo "Place ONLY this line into /etc/resolv.conf:"
echo "nameserver 127.0.0.1"
echo "Apply the following firewall rules:"
echo "iptables -t nat -A OUTPUT -p TCP --dport 53 -j DNAT --to-destination 127.0.0.1:9053"
echo "iptables -t nat -A OUTPUT -p UDP --dport 53 -j DNAT --to-destination 127.0.0.1:9053"
echo "----"
echo "To request new IP from TOR:"
echo "killall -HUP tor"
echo "---"
echo "Advanced usage, not recommended:"
echo "To torify ALL TCP traffic, you can use TorTransport without stream isolation:"
echo "iptables -t nat -A OUTPUT -p TCP -m owner ! --uid-owner tor -j DNAT --to-destination 127.0.0.1:9040"
echo "WARNING: UDP traffic may still leak! All traffic goes through single port. Apply additional iptables rules as you see fit."
echo "====="
systemctl daemon-reload
}
post_remove() {
echo "Deleting chroot..."
rm -rf /opt/torchroot
wait
echo "Done!"
}
|
