PORTAL for Debian

Rockstar hacker and OPSEC aficionado, the grugq, has detailed how to setup a Raspberry Pi as a transparent Tor proxy of sorts.   This has a number of advantages over using something like the Tor browser bundle or manually pointing your applications at Tor.  The main advantage is that it limits your ability to misconfigure the application such that it leaks information or worse, isn’t actually using Tor at all.   By setting up a dedicated captive Tor portal, you can be fairly certain that all TCP traffic is going through Tor. All UDP traffic destined for port 53 (DNS) is redirected to the Tor daemon and everything else is dropped.

His instructions are here:  https://github.com/grugq/PORTALofPi. My instructions are basically verbatim from his build.sh script.

The instructions below use vanilla Debian 7 x86 on an old netbook.  The only extra hardware I used is a USB ethernet adapter (e.g.: MosChip Semiconductor MCS7830 10/100 Mbps Ethernet adapter).   If you’re clever, you could use the internal wifi card to setup a WAP for the captive portal.

April 6, 2014 Update:
@asshurtACKFlags has some instructions that uses a Raspberry Pi and Raspbian.


March 3, 2014 Update:
There may be an issue when trying to access .onion addresses. Details and a fix are here: https://github.com/grugq/PORTALofPi/issues/16. I cannot replicate the issue. e.g. accessing DDG via the .onion at http://3g2upl4pq6kufc4m.onion/ works on the configuration documented below.

There is also a similar project here: http://learn.adafruit.com/onion-pi/overview. It also uses a Raspberry Pi.

Step 1: Setup the interfaces

eth0: The internets, however you get it. I’d recommend a non-NAT’d IP.
eth1: This is the private captive network.  You can put a wireless access point on this network so you can use a tablet.

Edit /etc/network/interfaces

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
  # Comment out the line below, once you have the network working and tor configured
  # pre-up iptables-restore < /etc/network/iptables.tor.rules

Step 2: Install Tor and dnsmasq (for dhcp)

apt-get install tor dnsmasq

Step 3:  Configure Tor

This sets up Tor as a transparent proxy.

cp /etc/tor/torrc /etc/tor/torrc.backup
cat > /etc/tor/torrc << __TORRC__
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
DataDirectory /var/lib/tor
SocksPort 9050
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 9053

Step 4: Configure dnsmasq

cp /etc/dnsmasq.conf /etc/dnsmasq.conf.backup
cat > /etc/dnsmasq.conf << __DNSMASQ__

Step 5: Setup IP tables

cat > /etc/network/iptables.tor.rules << __IPTABLES__
-A PREROUTING -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 9053 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 67 -j ACCEPT
# The rule below allows SSH access on the external interface, delete this if you don't want that.
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

**** Go and uncomment the pre-up rule in /etc/network/interfaces ****

Step 6: Reboot and plug something into eth1