Commit 0c28fa63 authored by intrigeri's avatar intrigeri

Allow redirecting DNS requests to Tor for specific users or globally.

parent 911cc18e
......@@ -107,7 +107,18 @@ rejected. This is intentional: it does not make sense leaking -via DNS
requests- network activity that would otherwise be torified. In that
case you probably want to read proper documentation about such
matters, enable the Tor DNS resolver and redirect DNS requests through
it.
it,
either globally:
shorewall::rules::torify::redirect_dns_to_tor { '-': }
or for specific users:
shorewall::rules::torify::redirect_dns_to_tor { ['bob', 'alice' ]: }
The $tor_dns_host and $tor_dns_port variables must be set before
these defines are setup.
Example
-------
......
......@@ -28,6 +28,12 @@ class shorewall {
case $tor_transparent_proxy_port {
'': { $tor_transparent_proxy_port = '9040' }
}
case $tor_dns_host {
'': { $tor_dns_host = '127.0.0.1' }
}
case $tor_dns_port {
'': { $tor_dns_port = '8853' }
}
if $tor_user == '' {
$tor_user = $dist_tor_user ? {
'' => 'tor',
......
define shorewall::rules::torify::redirect_dns_to_tor() {
$user = $name
$destzone = $shorewall::tor_dns_host ? {
'127.0.0.1' => '$FW',
default => 'net'
}
$tcp_rule = "redirect-tcp-dns-to-tor-user=${user}"
if !defined(Shorewall::Rule["$tcp_rule"]) {
shorewall::rule {
"$tcp_rule":
source => '$FW',
destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}",
proto => 'tcp',
destinationport => 'domain',
user => $user,
order => 108,
action => 'DNAT';
}
}
$udp_rule = "redirect-udp-dns-to-tor-user=${user}"
if !defined(Shorewall::Rule["$udp_rule"]) {
shorewall::rule {
"$udp_rule":
source => '$FW',
destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}",
proto => 'udp',
destinationport => 'domain',
user => $user,
order => 108,
action => 'DNAT';
}
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment