QuK5QJNb

10) create anon user in anon group.
2
3Follow these instructions: https://pastebin.com/fzrLPMgV putting anon in the pulse-audio group.  Having a systemwide sound server lets multiple users play sound.  You want sound while browsing tor don't you? 
4
5Add this to your ( not anon's ) .profile
6# allow other users to use the x display via non-network connections.
7xhost +local:
8
91) install tor.   sudo apt-get install tor
10
11$ sudo vi /etc/tor/torrc 
12
13
14This is loosely based on some other instructions I found
15
16I added this to the torrc file.:
17
18VirtualAddrNetworkIPv4 10.192.0.0/10 
19AutomapHostsOnResolve 1
20TransPort 9040
21DNSPort 5353
22
23Also I uncommented these lines because why not? 
24
25ControlPort 9051
26CookieAuthentication 1
27
28
29$ sudo service tor restart
30
31# Bye ufw.  I loved thee, but you don't do nat in an obvious way. 
32$ sudo apt-get remove ufw
33
34$ sudo apt-get remove iptables-persistent # unfortunately I couldn't get this to do a blasted thing.  No docutmentation
35
36
37######################################
38# Now create /etc/iptables-rules and /etc/ip6tables-rules like so:
39#
40# ip6tables-rules sets ip6tables to drop incoming connections and allow outgoing connections except that it 
41# drops all tcp and udp traffic owned by the anon user.  Is there any other kind of traffic we should be d
42# dropping for IPv6?  This ought to be the lion's share.
43#
44# iptables-rules sets iptables to drop incoming connections and allow outgoing connections.  
45# if anon owns the traffic and it is outgoing on a non lo-cal interface it gets sent through
46# tor's trans-port.
47# If anon owns the traffic and it's bound for port 53 ( DNS ) then we send it to tor's DNS port that 
48# we set up in torrc (5353)
49#
50# The instructions said that upon testing there were cases where the setup leaked DNS. 'somehow'.  
51# there are some differences between what I did and what they did.  Firstly I have tor listening on 127.0.0.1:5353 
52# whereas they had it listening on port 53.  Xubuntu uses 127.0.0.2:53 for DNS.  Maybe there was some confusion
53# in what they had because of listening on two addresses port 53?  Using different ports disambiguates it and might fix
54# that kind of problem.
55# Secondly, this is a backup-safety layer.  Mostly I'm going to be using tor-browser.  Tor browser yapped at me watching
56# a video saying it couldn't prevent some codecs from accessing the net.  Ok. But this firewalled anon user setup should. 
57# Maybe there could be a DNS leak, but I don't see any obvious way how. 
58# I tested this with lynx to https://check.torproject.org and it says I'm using tor browsing with lynx when 
59# logged in as anon.  
60# Also, tor-browser is smart enough to detect the tor service running and set up the manual proxy settings to send 
61# traffic through it.  So we're not double-torring.  The tor browser connects via socks5 on lo to the running tor 
62# service.  Lynx has its traffic redirected through tor via the firewall rules.
63# 
64# My personal threat model is avoiding casual spying and hoovering/archiving of metadata.  
65
66
67me@mymachine: /etc$ sudo cat iptables-rules
68#!/bin/bash
69
70iptables --flush
71iptables --table nat --flush
72
73iptables --delete-chain
74
75
76iptables --policy INPUT DROP
77iptables --policy FORWARD DROP
78iptables --policy OUTPUT ACCEPT
79
80iptables --append INPUT --in-interface lo --jump ACCEPT
81
82
83ANON_UID=anon 
84TOR_TRANS_PORT=9040
85TOR_DNS_PORT=5353
86DNS_PORT=53
87iptables --table nat \
88	--append OUTPUT \
89	! --out-interface lo \
90	--protocol tcp \
91		--match owner --uid-owner $ANON_UID \
92		--match tcp \
93	--jump REDIRECT --to-ports $TOR_TRANS_PORT
94
95iptables --table nat \
96	--append OUTPUT \
97	! --out-interface lo \
98	--protocol udp \
99		--match owner --uid-owner $ANON_UID \
100		--match udp --dport $DNS_PORT \
101	--jump REDIRECT --to-ports $TOR_DNS_PORT
102
103iptables --table filter \
104	--append OUTPUT \
105	--protocol tcp \
106		--match owner --uid-owner $ANON_UID \
107		--match tcp --dport $TOR_TRANS_PORT \
108	--jump ACCEPT
109
110iptables --table filter \
111	--append OUTPUT \
112	--protocol udp \
113		--match owner --uid-owner $ANON_UID \
114		--match udp --dport $TOR_DNS_PORT \
115	--jump ACCEPT
116
117iptables --table filter \
118	--append OUTPUT \
119	! --out-interface lo \
120		--match owner --uid-owner $ANON_UID \
121	--jump DROP
122
123# Allow established sessions to receive traffic
124iptables --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
125
126me@mymachine: /etc$ sudo cat ip6tables-rules
127#!/bin/bash
128
129ip6tables --flush
130ip6tables --table nat --flush
131
132ip6tables --delete-chain
133
134
135ip6tables --policy INPUT DROP
136ip6tables --policy FORWARD DROP
137ip6tables --policy OUTPUT ACCEPT
138
139ANON_UID=anon
140
141ip6tables \
142	--append OUTPUT \
143	! --out-interface lo \
144	--protocol tcp \
145		--match owner --uid-owner $ANON_UID \
146		--match tcp \
147	--jump DROP;
148
149ip6tables \
150	--append OUTPUT \
151	! --out-interface lo \
152	--protocol udp \
153		--match owner --uid-owner $ANON_UID \
154		--match udp \
155	--jump DROP;
156
157
158ip6tables --append INPUT --in-interface lo --jump ACCEPT
159
160
161# Allow established sessions to receive traffic
162ip6tables --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
163
164##################
165$ sudo iptables-rules; sudo ip6tables-rules
166$ sudo su - 
167# iptables-save > /etc/iptables/rules.v4 
168# ip6tables-save >/etc/iptables/rules.v6
169# exit
170$ sudo touch /etc/NetworkManager/dispatcher.d/01-firewall
171$ sudo chmod 755 /etc/NetworkManager/dispatcher.d/01-firewall
172# the following is what should be in 01-firewall:
173me@mymachine: /etc/NetworkManager/dispatcher.d$ cat 01-firewall
174if [ -x /usr/bin/logger ]; then
175        LOGGER="/usr/bin/logger -s -p daemon.info -t FirewallHandler"
176else
177        LOGGER=echo
178fi
179
180RULESV4=/etc/iptables/rules.v4
181RULESV6=/etc/iptables/rules.v6
182
183case "$2" in
184        up)
185                if [ ! -r $RULESV4 ]; then
186                        ${LOGGER} "No v4 iptables rules exist to restore."
187                        return
188                fi
189                if [ ! -x /sbin/iptables-restore ]; then
190                        ${LOGGER} "No program exists to restore iptables rules."
191                        return
192                fi
193                ${LOGGER} "Restoring $RULESV4"
194                /sbin/iptables-restore -c < $RULESV4
195                if [ ! -r $RULESV6 ]; then
196                        ${LOGGER} "No v6 iptables rules exist to restore."
197                        return
198                fi
199                if [ ! -x /sbin/ip6tables-restore ]; then
200                        ${LOGGER} "No program exists to restore ip6tables rules."
201                        return
202                fi
203                ${LOGGER} "Restoring $RULESV6"
204                /sbin/ip6tables-restore -c < $RULESV6
205                ;;
206        down)
207                if [ ! -x /sbin/iptables-save ]; then
208                        ${LOGGER} "No program exists to save iptables rules."
209                        return
210                fi
211                ${LOGGER} "Saving iptables rules."
212                /sbin/iptables-save -c > $RULESV4
213                if [ ! -x /sbin/ip6tables-save ]; then
214                        ${LOGGER} "No program exists to save ip6tables rules."
215                        return
216                fi
217                ${LOGGER} "Saving ip6tables rules."
218                /sbin/ip6tables-save -c > $RULESV6
219                ;;
220        *)
221                ;;
222esac
223
224$ reboot
225
226Then if you open a terminal and sudo su - anon your traffic from that window will be sent through tor only.