Skip to content

torproxy Setup

Initial Setup

sudo pacman -S tor nyx iptables bleachbit
[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec]
→ cat /etc/tor/torrc

[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/trac]
→ cat /etc/tor/torrc
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy
DataDirectory /var/lib/tor

BridgeRelay 1
PublishServerDescriptor 0
ORPort auto

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 127.0.0.1:8042
ExtOrPort auto

VirtualAddrNetworkIPv4 10.192.0.0/10

AutomapHostsOnResolve 1

# Tor Browser SocksPort.
SocksPort 9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth
SocksPort 9151 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth

TransPort 9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
SocksPort 9050 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort


ControlPort 9051
DNSPort 127.0.0.1:53
User tor


#use hardware accaleration when possible for crypto
HardwareAccel 1
#
##socket safety hacks
TestSocks 1
AllowNonRFC953Hostnames 0
WarnPlaintextPorts 23,109,110,143,80
#
##dns safety hacks
ClientRejectInternalAddresses 0
#
##circuit hacks
NewCircuitPeriod 40
MaxCircuitDirtiness 600
MaxClientCircuitsPending 48
UseEntryGuards 1
EnforceDistinctSubnets 1
#ExitNodes {jp}

And then we make the following iptables script:

export BLUE='\033[1;94m'
export GREEN='\033[1;92m'
export RED='\033[1;91m'
export RESETCOLOR='\033[1;00m'


# If tor didn't start, we start it
        # It is used for startup
if command -v pacman > /dev/null; then
  TOR_UID=$(id -u tor)
elif command -v apt > /dev/null; then
  TOR_UID=$(id -u debian-tor)
elif command -v dnf > /dev/null; then
  TOR_UID=$(id -u toranon)
else
  echo "Unknown distro"
  exit
fi

TOR_PORT=`cat /etc/tor/torrc | grep TransPort | cut -d " " -f 2 | cut -d ":" -f 2`
DNS_PORT=`cat /etc/tor/torrc | grep DNSPort | cut -d " " -f 2 | cut -d ":" -f 2`
# Init DNS
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Modified resolv.conf to use Tor${RESETCOLOR}"

#/usr/bin/dnstool address 127.0.0.1
sudo systemctl stop vpn
sudo systemctl restart iptables
sudo systemctl restart tor

sudo systemctl stop wg-quick@wg0
sudo iptables -F

#DNS

sudo chattr -i /etc/resolv.conf
sudo cp /home/nothing/Nextcloud/blog/dns/resolv.conf.tor /etc/resolv.conf
sudo chattr +i /etc/resolv.conf



 # disable ipv6
 echo -e "[$GREEN*${RESETCOLOR}]$BLUE Disabling IPv6 for security reasons${RESETCOLOR}"
sudo /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo /sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1

 #if ! [ -f /etc/network/iptables.rules ]; then
 #       /usr/sbin/iptables-save > /etc/network/iptables.rules
 #       echo -e "[$GREEN*${RESETCOLOR}]$BLUE Saved iptables rules${RESETCOLOR}"
 #fi

 # Making IPTables rules
sudo /usr/sbin/iptables -F
sudo /usr/sbin/iptables -t nat -F

 # set iptables nat
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Configuring iptables rules to route all traffic through tor${RESETCOLOR}"
sudo /usr/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN

 #set dns redirect
 echo -e " $GREEN+$BLUE Redirecting DNS traffic through tor${RESETCOLOR}"
sudo /usr/sbin/iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT

 #resolve .onion domains mapping 10.192.0.0/10 address space
sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT
sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT

 #exclude local addresses
 for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do
        sudo  /usr/sbin/iptables -t nat -A OUTPUT -d $NET -j RETURN
        sudo  /usr/sbin/iptables -A OUTPUT -d "$NET" -j ACCEPT
done

 #redirect all other output through TOR
sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT
#/usr/sbin/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $TOR_PORT
sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT
sudo /usr/sbin/iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT

 #accept already established connections
sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 #allow only tor output
 echo -e " $GREEN+$BLUE Allowing only tor to browse in clearnet$RESETCOLOR"
sudo /usr/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -j REJECT

 # TESTING block all incoming traffics
 # https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
sudo /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT

sudo /usr/sbin/iptables -A INPUT -j DROP

 ### *filter FORWARD
sudo /usr/sbin/iptables -A FORWARD -j DROP

 ### *filter OUTPUT
sudo /usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT

 # Allow Tor process output
sudo iptables -A OUTPUT -m owner --uid-owner $TOR_UID -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT

 # Allow loopback output
sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
 # iptables 1.8.5 can't use -o with input
 # /usr/sbin/iptables -A INPUT -d 127.0.0.1/32 -o lo -j ACCEPT

 # Tor transproxy magic
sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

     #allow local network traffic:
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT

sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT

        # Allow OUTPUT to lan hosts in $_non_tor
        # Uncomment these 3 lines to enable.
        #for _lan in $_non_tor; do
        # iptables -A OUTPUT -d $_lan -j ACCEPT
        #done

        # Log & Drop everything else. Uncomment to enable logging
        #iptables -A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
        # /usr/sbin/iptables -A OUTPUT -j DROP

        ### Set default policies to DROP
        # /usr/sbin/iptables -P INPUT DROP
        # /usr/sbin/iptables -P FORWARD DROP
        # /usr/sbin/iptables -P OUTPUT DROP

        ### Set default policies to DROP for IPv6
        #ip6tables -P INPUT DROP
        #ip6tables -P FORWARD DROP
        #ip6tables -P OUTPUT DROP

Now in between switching you should kill the dangerous applications like so:

[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec]
→ cat cleanup.sh
# Kill processes
killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail 
# Remove cache
bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null

And now if you have the following torrc you can have a tor transparent proxying:

[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/trac]
→ sudo systemctl restart tor

[ 10.0.0.10/16 ] [ nowhere ] [~]
→ ./security.sh

[+] SECURITY SCRIPT:

[+] 0) Only local ?
[+] 1) VPN over TOR ?                   (high latency, unlimited bandwidth)
[+] 2) Wireguard to vpn.void.yt ?       (3TB/mo, low latency)
[+] 3) Transparent TOR Proxying
3
[sudo] password for nothing:
[*] Modified resolv.conf to use Tor
[*] Disabling IPv6 for security reasons
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
[*] Configuring iptables rules to route all traffic through tor
 + Redirecting DNS traffic through tor
 + Allowing only tor to browse in clearnet

Now if you want to see if this works, you can check out your own ip in firefox:

Or if you want to check from inside the tor browser since it has much more security hardening than default firefox, do the following to start it up in such a way that it will use the system daemon::

[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec]
→ cat torbrowser.sh
#export TOR_CONTROL_COOKIE_AUTH_FILE=/var/run/tor/control.authcookie
export TOR_CONTROL_PORT=9051
export TOR_SOCKS_PORT=9150
export TOR_SKIP_LAUNCH=1
/usr/bin/torbrowser-launcher

[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec]
→ ./torbrowser.sh
Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.3.5
https://github.com/micahflee/torbrowser-launcher
Launching Tor Browser.
Running /home/nothing/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop
Launching './Browser/start-tor-browser --detach'...

`

Automation Setup

Let's make a systemd daemon that, when started, launches a bashscript to start the tor proxying, and when stopped, stops the tor proxying.

[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final]
→  chmod +x ./torproxy_start.sh

[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final]
→ cat torproxy_start.sh
#!/bin/bash

# Kill processes
killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail 
# Remove cache
bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null

        sudo systemctl stop wg-quick@wg0
        sudo iptables -F
        #https://github.com/ParrotSec/anonsurf/blob/c5cc0092dc4ffe7d53b2bb42aebdc00e463cfa84/scripts/anondaemon

export BLUE='\033[1;94m'
export GREEN='\033[1;92m'
export RED='\033[1;91m'
export RESETCOLOR='\033[1;00m'


# If tor didn't start, we start it
        # It is used for startup
if command -v pacman > /dev/null; then
  TOR_UID=$(id -u tor)
elif command -v apt > /dev/null; then
  TOR_UID=$(id -u debian-tor)
elif command -v dnf > /dev/null; then
  TOR_UID=$(id -u toranon)
else
  echo "Unknown distro"
  exit
fi

TOR_PORT=`cat /etc/tor/torrc | grep TransPort | cut -d " " -f 2 | cut -d ":" -f 2`
DNS_PORT=`cat /etc/tor/torrc | grep DNSPort | cut -d " " -f 2 | cut -d ":" -f 2`
# Init DNS
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Modified resolv.conf to use Tor${RESETCOLOR}"

#/usr/bin/dnstool address 127.0.0.1
sudo systemctl stop vpn
sudo systemctl restart iptables
sudo systemctl restart tor

sudo systemctl stop wg-quick@wg0
sudo iptables -F

#DNS

sudo chattr -i /etc/resolv.conf
sudo cp /home/nothing/Nextcloud/blog/dns/resolv.conf.tor /etc/resolv.conf
sudo chattr +i /etc/resolv.conf



 # disable ipv6
 echo -e "[$GREEN*${RESETCOLOR}]$BLUE Disabling IPv6 for security reasons${RESETCOLOR}"
sudo /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo /sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1

 #if ! [ -f /etc/network/iptables.rules ]; then
 #       /usr/sbin/iptables-save > /etc/network/iptables.rules
 #       echo -e "[$GREEN*${RESETCOLOR}]$BLUE Saved iptables rules${RESETCOLOR}"
 #fi

 # Making IPTables rules
sudo /usr/sbin/iptables -F
sudo /usr/sbin/iptables -t nat -F

 # set iptables nat
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Configuring iptables rules to route all traffic through tor${RESETCOLOR}"
sudo /usr/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN

 #set dns redirect
 echo -e " $GREEN+$BLUE Redirecting DNS traffic through tor${RESETCOLOR}"
sudo /usr/sbin/iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT

 #resolve .onion domains mapping 10.192.0.0/10 address space
sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT
sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT

 #exclude local addresses
 for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do
        sudo  /usr/sbin/iptables -t nat -A OUTPUT -d $NET -j RETURN
        sudo  /usr/sbin/iptables -A OUTPUT -d "$NET" -j ACCEPT
done

 #redirect all other output through TOR
sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT
#/usr/sbin/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $TOR_PORT
sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT
sudo /usr/sbin/iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT

 #accept already established connections
sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 #allow only tor output
 echo -e " $GREEN+$BLUE Allowing only tor to browse in clearnet$RESETCOLOR"
sudo /usr/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -j REJECT

 # TESTING block all incoming traffics
 # https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
sudo /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT

sudo /usr/sbin/iptables -A INPUT -j DROP

 ### *filter FORWARD
sudo /usr/sbin/iptables -A FORWARD -j DROP

 ### *filter OUTPUT
sudo /usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT

 # Allow Tor process output
sudo iptables -A OUTPUT -m owner --uid-owner $TOR_UID -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT

 # Allow loopback output
sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
 # iptables 1.8.5 can't use -o with input
 # /usr/sbin/iptables -A INPUT -d 127.0.0.1/32 -o lo -j ACCEPT

 # Tor transproxy magic
sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

     #allow local network traffic:
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT

sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT



[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final]
→ vim torproxy_stop.sh

[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final]
→ chmod +x ./torproxy_stop.sh

[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final]
→ cat torproxy_stop.sh
#!/bin/bash
# Kill processes
killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail 
# Remove cache
bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null

sudo iptables -F

And now to write the systemd service:

[ 10.0.0.10/16 ] [ nowhere ] [~]
→ sudo vim /etc/systemd/system/torproxy.service

[ 10.0.0.10/16 ] [ nowhere ] [~]
→ sudo systemctl daemon-reload

[ 10.0.0.10/16 ] [ nowhere ] [~]
→ cat /etc/systemd/system/torproxy.service
[Unit]
Description=Tor Transparent Proxy
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/home/nothing/Nextcloud/blog/Conf/torproxy_start.sh
ExecStop=/home/nothing/Nextcloud/blog/Conf/torproxy_stop.sh

[Install]
WantedBy=multi-user.target

and the modified 2 scripts:

[ 10.0.0.10/16 ] [ nowhere ] [~]
→ cat /home/nothing/Nextcloud/blog/Conf/torproxy_start.sh
#!/bin/bash

# Kill processes
killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail
# Remove cache
bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null

 systemctl stop wg-quick@wg0
 iptables -F
#https://github.com/ParrotSec/anonsurf/blob/c5cc0092dc4ffe7d53b2bb42aebdc00e463cfa84/scripts/anondaemon

export BLUE='\033[1;94m'
export GREEN='\033[1;92m'
export RED='\033[1;91m'
export RESETCOLOR='\033[1;00m'


# If tor didn't start, we start it
        # It is used for startup
if command -v pacman > /dev/null; then
  TOR_UID=$(id -u tor)
elif command -v apt > /dev/null; then
  TOR_UID=$(id -u debian-tor)
elif command -v dnf > /dev/null; then
  TOR_UID=$(id -u toranon)
else
  echo "Unknown distro"
  exit
fi

TOR_PORT=`cat /etc/tor/torrc | grep TransPort | cut -d " " -f 2 | cut -d ":" -f 2`
DNS_PORT=`cat /etc/tor/torrc | grep DNSPort | cut -d " " -f 2 | cut -d ":" -f 2`
# Init DNS
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Modified resolv.conf to use Tor${RESETCOLOR}"

#/usr/bin/dnstool address 127.0.0.1
 systemctl stop vpn
 systemctl restart iptables
 systemctl stop wg-quick@wg0
 iptables -F

#DNS

 chattr -i /etc/resolv.conf
 cp /home/nothing/Nextcloud/blog/dns/resolv.conf.tor /etc/resolv.conf
 chattr +i /etc/resolv.conf



 # disable ipv6
 echo -e "[$GREEN*${RESETCOLOR}]$BLUE Disabling IPv6 for security reasons${RESETCOLOR}"
 /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1
 /sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1

 #if ! [ -f /etc/network/iptables.rules ]; then
 #       /usr/sbin/iptables-save > /etc/network/iptables.rules
 #       echo -e "[$GREEN*${RESETCOLOR}]$BLUE Saved iptables rules${RESETCOLOR}"
 #fi

 # Making IPTables rules
 /usr/sbin/iptables -F
 /usr/sbin/iptables -t nat -F

 # set iptables nat
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Configuring iptables rules to route all traffic through tor${RESETCOLOR}"
 /usr/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN

 #set dns redirect
 echo -e " $GREEN+$BLUE Redirecting DNS traffic through tor${RESETCOLOR}"
 /usr/sbin/iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT

 #resolve .onion domains mapping 10.192.0.0/10 address space
 /usr/sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT
 /usr/sbin/iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT

 #exclude local addresses
 for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do
          /usr/sbin/iptables -t nat -A OUTPUT -d $NET -j RETURN
          /usr/sbin/iptables -A OUTPUT -d "$NET" -j ACCEPT
done

 #redirect all other output through TOR
 /usr/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT
#/usr/sbin/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $TOR_PORT
 /usr/sbin/iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT
 /usr/sbin/iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT

 #accept already established connections
 /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 #allow only tor output
 echo -e " $GREEN+$BLUE Allowing only tor to browse in clearnet$RESETCOLOR"
 /usr/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
 /usr/sbin/iptables -A OUTPUT -j REJECT

 # TESTING block all incoming traffics
 # https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
 /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
 /usr/sbin/iptables -A INPUT -i lo -j ACCEPT

 /usr/sbin/iptables -A INPUT -j DROP

 ### *filter FORWARD
 /usr/sbin/iptables -A FORWARD -j DROP

 ### *filter OUTPUT
 /usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
 /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT

 # Allow Tor process output
 iptables -A OUTPUT -m owner --uid-owner $TOR_UID -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT

 # Allow loopback output
 /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
 # iptables 1.8.5 can't use -o with input
 # /usr/sbin/iptables -A INPUT -d 127.0.0.1/32 -o lo -j ACCEPT

 # Tor transproxy magic
 /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

     #allow local network traffic:
 /usr/sbin/iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT
 /usr/sbin/iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT
 /usr/sbin/iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT
 /usr/sbin/iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT

 /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT
 /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT
 /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT
 /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT

systemctl start tor




[ 10.0.0.10/16 ] [ nowhere ] [~]
→ cat /home/nothing/Nextcloud/blog/Conf/torproxy_stop.sh
#!/bin/bash
# Kill processes
killall -q tor chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail
# Remove cache
bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null


iptables -F
systemctl restart iptables

Now to test it:

[ 10.0.0.10/16 ] [ nowhere ] [~]
→ sudo systemctl stop torproxy.service

[ 10.0.0.10/16 ] [ nowhere ] [~]
→ sudo systemctl start torproxy.service

Nihilist
Donate XMR to Nihilist:
8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o
7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8