Table of Contents

Summary

tor can be configured on a middlebox in order to spread out DNS requests and mask all TCP traffic. This is different from running Vidalia and using the tor browser because the traffic will be masked transparently by a gateway so that you can use any browser or application behind it. We have been using it for quite some time now with great results.

For a setup that will allow you to browse both .onion and .i2p domains, see the proxy chaining page.

Configuring Tor

torrc is the main configuration file usually residing at /etc/tor/torrc. The necessary additions are:

TransPort 9040
TransListenAddress 192.168.5.1
DNSPort 9053
DNSListenAddress 192.168.5.1

where 192.168.5.1 is the IP address of the gateway. This will mask all TCP traffic on 9040 and DNS queries on port 9053.

Firewall

The firewall needs to redirect the usual traffic to the tor ports:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040

and eth0 is the local lan interface.

A local IP address can be exluded by using the negated -s source mathcher. For example:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 ! -s 192.168.5.10 -j REDIRECT --to-ports 9053