How to force all network traffic through Tor on Fedora

DISCLAIMER: The most trustworthy information on this topic can be found on the Tor Project Wiki. Do not trust the advice on this blog if your life or well-being could be in danger. And you probably shouldn't trust Tor either. Or anyone.

Forcing all network traffic through Tor will hopefully reduce the chance of your anonymity being compromised by application-level issues that result in 'leaks'. Please note that the recommended way to browse the Internet anonymously is to use the Tor Browser Bundle, which is maintained by the Tor Project itself.

We will be using iptables to direct all DNS queries to the local Tor service's DNSPort, which can then anonymously resolve domain names. We will also redirect all TCP traffic to the Tor service's TransPort, which acts as a transparent proxy.

There are some things to bear in mind. It doesn't matter how bullet-proof your firewall rules are, applications can still inadvertently leak information. Browser fingerprinting and personal information leaks can compromise your anonymous identity, while DNS leaks can reveal your IP address. The Tor Browser Bundle has some mitigations to prevent such leaks from occurring.

First, add the following lines to your /etc/torrc:

AutomapHostsOnResolve  1
DNSPort                53530
TransPort              9040

Make sure Tor is allowed by SELinux to bind to the transparent proxy:

semanage port -a -t tor_port_t -p tcp 9040

Restart the Tor service:

systemctl restart tor.service

firewalld is the default firewall in Fedora. In order to use iptables instead, perform the following commands:

systemctl disable firewalld.service
yum -y install iptables-services
systemctl enable iptables.service ip6tables.service

Now we can load the firewall rules. I've added some explanatory comments to these rules, but you'll need some basic knowledge of iptables if you want to customize the rules to your own requirements.

wget https://jamielinux.com/pub/2013/iptables.tor.txt
iptables-restore < iptables.tor.txt

Finally, navigate to https://check.torproject.org in your browser to check if everything is working.

Comments

DDD | Aug 22, 2013

...but note that you need to run SSL.  Otherwise Tor is a glorified man-in-the-middle proxy to a bad guy.  Anonymity != Encryption

Jamie Nguyen | Aug 22, 2013

@DDD: Absolutely. Tor anonymizes, nothing more.

Stormy | May 09, 2014

Great tutorial. And how do I do to turn the torification on/off when needed? Would love to force all my VM traffic to go directly from Tor on the host and then further on in my chain of VPNs and proxies. Torification of the host is the most logical solution, but I also need the host to be able to communicate without Tor. Is the reversal process as easy as say SELinux (setenforce 0 / 1), or is it much more complicated to detorify all traffic again?

Jamie Nguyen | May 09, 2014

@Stormy: Instead of disabling firewalld.service and enabling iptables.service, you could instead just use iptables-restore to enable torification when needed. When you want to go back, run firewall-cmd --restore to reset the firewall to the default Fedora firewalld rules.

Edge-Case | Sep 08, 2014

@Stormy,
I am not sure if the project is still being maintained, but you might want to check out "whonix" if you want a VM that is routed completly through tor. It uses two VMs, one as the router and the other as the workstation.

Or maybe try using your PC as the gateway for your VMs combined with the info presented here. You just have to "echo 1 > /proc/sys/net/ipv4/ip_forward" as root to enable routing, and then some manipulation of the routing tables possibly, its been a while since I have messed with using my PC as a router so you might need to search the net for more info if you're not already familiar with it.

Good luck, and Thanks to Jamie for the tutorials.

Comments are now closed.