#!/bin/bash Tor_enable(){ # Here we set the proxy address. Several applications use these environment # variables already, so we don't need to set another one for those. proxyport=8118 netstat -tln | grep 8118 | grep LISTEN > /dev/null if [ $? -eq 1 ]; then netstat -tln | grep 8123 | grep LISTEN > /dev/null if [ $? -eq 1 ]; then echo "No proxy running on ports 8118 or 8123! Please start Privoxy or Polipo!" >&2 exit 1 else proxyport=8123 fi fi export http_proxy="http://localhost:${proxyport}" export HTTP_PROXY="${http_proxy}" export HTTPS_PROXY="${http_proxy}" export https_proxy="${http_proxy}" # applications known to use these variables: # gpg, wget, curl # helper functions #{{{ tor_resolve "hostname" tor_resolve() { # This function first tries /etc/hosts for the name # then tries tor. echos either the parameter or the IP address # return value 0 for success (resolved or hosts), 1 otherwise if egrep -q "[[:blank:]]${1}|[[:blank:]]${1}[[:blank:]]" /etc/hosts ; then echo "${1}" return 0 else echo -n "Resolving ${1} through tor... " >&2 ip="$( tor-resolve ${1} 2>/dev/null )" if [ -z "${ip}" ] ; then echo "FAILED! Passing ${1} to program" >&2 echo ${1} return 1 else echo ${ip} >&2 echo ${ip} return 0 fi fi } #}}} # irssi, a console IRC client hash irssi 2>/dev/null && alias irssi="torify $( which irssi )" # subversion hash svn 2>/dev/null && alias svn="torify $( which svn )" # BitTorrent for x in bittorrent bittorrent-console bittorrent-curses launchmany-console launchmany-curses ; do hash ${x} 2>/dev/null && alias ${x}="$( which ${x} ) --tracker_proxy '${http_proxy#http://}'" done # {{{ ssh hash ssh 2>/dev/null && \ ssh() { unset cmd cmd="$( type -P ssh )" while [ -n "${1}" ] ; do if [ "${1:0:1}" == "-" ] ; then found=0 for white in -1 -2 -4 -6 -A -a -C -f -g \ -k -N -n -q -s -T -t -V -v -X -x \ -Y \ ; do [ "${1}" == "${white}" ] && found=1 done if [ "${found}" == "0" ] ; then cmd="${cmd} \"${1}\" \"${2}\"" shift # the second shift happens below else cmd="${cmd} \"${1}\"" fi else if [ "${1//@}" != "${1}" ] ; then cmd="${cmd} \"${1%%@*}@" ip="$(tor_resolve "${1##*@}")" cmd="${cmd}${ip}\"" else ip="$(tor_resolve "${1}")" cmd="${cmd} \"${ip}\"" fi fi shift done eval torify ${cmd} } # }}} # {{{ scp hash scp 2>/dev/null && \ scp() { unset cmd cmd="$( type -P scp )" while [ -n "${1}" ] ; do if [ "${1:0:1}" == "-" ] ; then for white in -1 -2 -4 -6 -B -C -p -q -r -v \ ; do [ "${1}" == "${white}" ] && found=1 done if [ "${found}" == "0" ] ; then cmd="${cmd} \"${1}\" \"${2}\"" shift # the second shift happens below else cmd="${cmd} \"${1}\"" fi else if [ "${1//:}" != "${1}" ] ; then cmd="${cmd} \"" host="${1}" if [ "${1//@}" != "${1}" ] ; then cmd="${cmd}${1%%@*}@" host="${1#*@}" fi ip="$(tor_resolve "${host%%:*}")" cmd="${cmd}${ip}:${host#*:}\"" else cmd="${cmd} \"${1}\"" fi fi shift done eval torify ${cmd} } # }}} # {{{ telnet hash telnet 2>/dev/null && \ telnet() { unset cmd cmd="$( type -P telnet )" unset host while [ -n "${1}" ] ; do if [ "${1:0:1}" == "-" ] ; then found=0 for white in -8 -E -L -a -d -r ; do [ "${1}" == "${white}" ] && found=1 done if [ "${found}" == "0" ] ; then cmd="${cmd} \"${1}\" \"${2}\"" shift # the second shift happens below else cmd="${cmd} \"${1}\"" fi else if [ -z "${host}" ] ; then host="$(tor_resolve "${1}")" cmd="${cmd} \"${host}\"" else cmd="${cmd} \"${1}\"" fi fi shift done eval torify ${cmd} } # }}} } Tor_disable(){ unset http_proxy HTTP_PROXY https_proxy HTTPS_PROXY unalias irssi svn bittorrent bittorrent-console bittorrent-curses launchmany-console launchmany-curses 2>/dev/null unset ssh scp telnet 2>/dev/null } [ "${UID}" == "0" ] && torify_TCP(){ read a b version < <( tor --version | tail -n 1 ) version="${version//./ }" read major minor micro patch <<< "${version}" # only starting 0.1.2.14 candothis=0 [ ${major} -lt 0 ] && candothis=1 [ ${major} -eq 0 -a ${minor} -lt 1 ] && candothis=1 [ ${major} -eq 0 -a ${minor} -eq 1 -a ${micro} -lt 2 ] && candothis=1 [ ${major} -eq 0 -a ${minor} -eq 1 -a ${micro} -eq 2 -a ${patch} -le 14 ] && candothis=1 if [ ${candothis} -eq 0 ] ; then echo "Your installed version of Tor is too old. You need at least 0.1.2.14 for this." return 1 fi if [ "$( uname )" != "Linux" ] ; then echo "Sorry, this is only implemented on Linux so far (in this script, not in Tor)." return 1 fi # based on http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy # destinations you don't want routed through Tor NON_TOR="" while read inet addr brd bcast rest ; do # inet 127.0.0.1/8 scope host lo # inet 213.239.220.170/27 brd 213.239.220.191 scope global eth0 [ "${addr:0:3}" == "127" ] && continue read addr1 addr2 addr3 addr4 subnet <<< "${addr//[.\/]/ }" read bcast1 bcast2 bcast3 bcast4 <<< "${bcast//./ }" unset netaddr for x in 1 2 3 4 ; do eval a="\${addr${x}}" eval b="\${bcast${x}}" if [ ${subnet} -ge 8 ] ; then # the simple case netaddr="${netaddr}${netaddr:+.}${a}" subnet=$(( ${subnet} - 8 )) elif [ ${subnet} -eq 0 ] ; then # the other simple case netaddr="${netaddr}${netaddr:+.}0" else # 0 < subnet < 8 b="$(( ( ${b} + 1 ) - ( 2 ** ( 8 - ${subnet} ) ) ))" netaddr="${netaddr}${netaddr:+.}${b}" subnet=0 fi done NON_TOR="${NON_TOR} ${netaddr}/${addr##*/}" done < <( ip a | grep inet | grep -v inet6 ) # the UID Tor runs as IFS=":" read a b TOR_UID rest < <( grep tor /etc/passwd ) if [ -z "${TOR_UID}" ] ; then echo -n "Couldn't get Tors UID. Please enter manually> " read TOR_UID TOR_UID="${TOR_UID//[^0-9]/}" if [ -z "${TOR_UID//[^0-9]/}" ] ; then echo "No Tor UID. Exiting." return 1 fi fi # Tor's TransPort echo -n "Please enter Tor's TransPort (or leave blank for 9040)> " read TRANS_PORT [ -z "${TRANS_PORT}" ] && TRANS_PORT="9040" lsmod | grep ipt_owner || modprobe ipt_owner || return 1 echo -n "Delete all iptables rules before applying Tor rules?> [n] " read yesno read yesno < <( tr '[[:upper:]]' '[[:lower:]]' <<< "${yesno:0:1}" ) if [ "${yesno}" == "y" ] ; then iptables -F iptables -t nat -F fi iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN for NET in $NON_TOR 127.0.0.0/9 127.128.0.0/10; do iptables -t nat -A OUTPUT -d $NET -j RETURN done iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-dest 127.0.0.1:$TRANS_PORT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT for NET in $NON_TOR 127.0.0.0/8; do iptables -A OUTPUT -d $NET -j ACCEPT done iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT iptables -A OUTPUT -j REJECT } Tor_enable