Mande Kira Mande Kira - 6 months ago 33
Linux Question

How to channel all traffic to tor on Kali linux

I am new to tor and Kali linux, I have installed Kali linux and installed tor and download tor bundle, but I realised only when I brows through the tor bundle browser is when my traffic is being channel through tor, excluding any other browser and application. Please how can I channel all my network traffic on Kali linux to pass through the tor network. Note am newbie to tor and Kali.
Thanks

Answer

Add the following to torrc:

AutomapHostsOnResolve  1
DNSPort                53530
TransPort              9040

create a file to contain your iptables rules. For IPv4: /etc/iptables.firewall.rules and for IPv6: /etc/ip6tables.firewall.rules.

Now edit the IPv4 file and add something like the following (make sure to grep for TODO items and follow the instructions):

# Ues the nat table to redirect some traffic to Tor

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Don't allow Tor traffic to get stuck in a redirect loop...
# TODO: Is `tor' your actual Tor user? It might be `debian-tor' or `toranon' or something else.
-A OUTPUT -m owner --uid-owner tor -j RETURN

# Redirect DNS lookups to Tor.
# TODO: Set this to your Tor DNSPort if it's not 53530.
-A OUTPUT ! -o lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 53530

# Do not redirect private networks or loopback.
-A OUTPUT -d 10.0.0.0/8 -j RETURN
-A OUTPUT -d 172.16.0.0/12 -j RETURN
-A OUTPUT -d 192.168.0.0/16 -j RETURN

# Redirect HS connections to the TransPort.
-A OUTPUT -d 127.192.0.0/10 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040

# Redirect all TCP traffic to Tor's TransPort.
-A OUTPUT ! -o lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040

COMMIT

# Only accept anonymized network traffic in the filter table.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LAN - [0:0]

# Allow loopback
-A INPUT -i lo -j ACCEPT

# Allow connections that are already established.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Reject incoming connections.
-A INPUT -p udp -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-port-unreachable

# Accept network traffic for the Tor service itself.
# TODO: Tor user?
-A OUTPUT -m owner --uid-owner tor -j ACCEPT

# Accept DNS requests to the Tor DNSPort.
-A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53530 -j ACCEPT

# Accept outgoing traffic to the local Tor TransPort.
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9040 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

# Accept outgoing traffic to the local Tor SOCKSPorts.
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9050 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9150 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

# Accept connections on private networks.
-A OUTPUT -d 10.0.0.0/8 -j LAN
-A OUTPUT -d 172.16.0.0/12 -j LAN
-A OUTPUT -d 192.168.0.0/16 -j LAN
-A LAN -p tcp -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A LAN -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A LAN -j ACCEPT

# Reject all other outgoing traffic.
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT

For the IPv6 file, you can do something similar with ip6tables, or just drop all IPv6 traffic.

Now set these rules to be loaded on startup by creating the file /etc/network/if-pre-up.d/firewall with the following contents:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
/sbin/ip6tables-restore < /etc/ip6tables.firewall.rules

Restart Tor if needed, and load your new firewall rules manually by executing the previous commands.