commit fd92b0fc7f0ef4d18c93ab72cda76c41220d1ad7 Author: olli Date: Sun Jul 10 10:51:13 2022 +0200 first commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..e69de29 diff --git a/tornet.yml b/tornet.yml new file mode 100644 index 0000000..b342b7b --- /dev/null +++ b/tornet.yml @@ -0,0 +1,261 @@ +--- +- name: Tornet Debian Linux Setup + hosts: defiant.dedyn.io tor-nas.dedyn.io + tasks: + + - name: Packages for tor + apt: + name: + - tor + - tor-geoipdb + - privoxy + - bridge-utils + - ufw + - dnsmasq + update_cache: no + install_recommends: no + + - name: 'remove dnsmasq from startup' + command: systemctl disable dnsmasq + args: + removes: /etc/systemd/system/multi-user.target.wants/dnsmasq.service + + - name: 'stop dnsmasq' + command: systemctl stop dnsmasq + args: + removes: /run/dnsmasq/dnsmasq.pid + + - name: Tor Config + blockinfile: + path: /etc/tor/torrc + create: yes + mode: "0444" + owner: root + group: root + insertbefore: BOF + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + # individual Tor-Config + BridgeRelay 0 + SOCKSPort 0.0.0.0:9050 + ExitPolicy reject *:* + #ControlPort 9051 + #HashedControlPassword 16:F7222A0CBC254E536056DCBBD27A7D051D68BCF1E9020681C0A3656B84 + # Seting up TOR transparent proxy for tor-router + #VirtualAddrNetwork 10.192.0.0/10 + AutomapHostsOnResolve 1 + TransPort 0.0.0.0:9040 + DNSPort 0.0.0.0:5353 + # Falls outgping geblockt wird und nur 80/443 geht + FascistFirewall 1 + backup: yes + notify: + - Restart tor + + - name: Privoxy Config + blockinfile: + path: /etc/privoxy/config + create: yes + mode: "0444" + owner: root + group: root + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + # Privoxy-Tor-Connection + listen-address 0.0.0.0:3128 + forward-socks5t / 127.0.0.1:9050 . + backup: yes + notify: + - Restart privoxy + + - name: Tor bridge + blockinfile: + path: /etc/network/interfaces.d/tornet0 + create: yes + mode: "0444" + owner: root + group: root + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + auto tornet0 + iface tornet0 inet static + bridge_ports none + address 192.168.43.1 + broadcast 192.168.43.255 + netmask 255.255.255.0 + notify: + - Restart tornet0 + + - name: start tornet0 if not exists + ansible.builtin.command: ifup tornet0 + args: + creates: /proc/sys/net/ipv6/conf/tornet0/disable_ipv6 + + - ansible.posix.sysctl: + name: net.ipv6.conf.tornet0.disable_ipv6 + value: '1' + state: present + + - name: ufw firewall rules for transparent tor proxy in tornet0 + blockinfile: + path: /etc/ufw/before.rules + create: yes + mode: "0440" + owner: root + group: root + marker: "# {mark} ANSIBLE MANAGED BLOCK for tornet0" + insertbefore: BOF + block: | + *nat + :POSTROUTING ACCEPT - [0:0] + # Route network 192.168.43.0/24 (tornet0) to transparent Tor-Proxy (udp not supported by Tor) + # Activate "normal" routing for non-Internet Networks + -A POSTROUTING -s 192.168.43.0/24 -j MASQUERADE + -A PREROUTING -i tornet0 -d 127.0.0.0/8 -j RETURN + -A PREROUTING -i tornet0 -d 10.0.0.0/8 -j RETURN + -A PREROUTING -i tornet0 -d 192.168.0.0/16 -j RETURN + -A PREROUTING -i tornet0 -d 172.16.0.0/12 -j RETURN + -A PREROUTING -i tornet0 -d 0.0.0.0/8 -j RETURN + -A PREROUTING -i tornet0 -d 100.64.0.0/10 -j RETURN + -A PREROUTING -i tornet0 -d 169.254.0.0/16 -j RETURN + -A PREROUTING -i tornet0 -d 192.0.0.0/24 -j RETURN + -A PREROUTING -i tornet0 -d 192.0.2.0/24 -j RETURN + -A PREROUTING -i tornet0 -d 192.88.99.0/24 -j RETURN + -A PREROUTING -i tornet0 -d 198.18.0.0/15 -j RETURN + -A PREROUTING -i tornet0 -d 198.51.100.0/24 -j RETURN + -A PREROUTING -i tornet0 -d 203.0.113.0/24 -j RETURN + -A PREROUTING -i tornet0 -d 224.0.0.0/4 -j RETURN + -A PREROUTING -i tornet0 -d 240.0.0.0/4 -j RETURN + -A PREROUTING -i tornet0 -d 255.255.255.255/32 -j RETURN + # Redirect all TCP-Connections to transparent Tor-Proxy + -A PREROUTING -i tornet0 -s 192.168.43.0/24 -p tcp --syn -j REDIRECT --to-ports 9040 + # Redirect DNS to TorDNS + -A PREROUTING -i tornet0 -s 192.168.43.0/24 -d 192.168.43.1 -p udp --dport 53 -j REDIRECT --to-ports 5353 + # Redirect all non TCP-Connections into nirvana because Tor only speaks TCP + -A PREROUTING -i tornet0 -s 192.168.43.0/24 ! -p tcp -j DNAT --to 127.0.0.1:1 + COMMIT + notify: + - Restart ufw + + - name: Allow Routing + community.general.ufw: + rule: allow + route: yes + interface_in: tornet0 + + - name: Allow all access to tcp port 53/udp (dns) + community.general.ufw: + rule: allow + port: '53' + proto: udp + interface: tornet0 + direction: in + + - name: Allow access to dhcp server + community.general.ufw: + rule: allow + port: '67' + proto: udp + interface: tornet0 + direction: in + + - name: Allow access to NTP server + community.general.ufw: + rule: allow + port: '123' + proto: udp + interface: tornet0 + direction: in + + - name: Allow access to tor + community.general.ufw: + rule: allow + port: '9040' + proto: tcp + interface: tornet0 + direction: in + + - name: dnsmasq DNS and DHCP for tornet0 + blockinfile: + path: /etc/dnsmasq-tornet0.conf + create: yes + mode: "0444" + owner: root + group: root + insertbefore: BOF + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + port=53 + interface=tornet0 + listen-address=192.168.43.1 + bind-interfaces + except-interface=lo + domain-needed + bogus-priv + dhcp-range=192.168.43.100,192.168.43.200,255.255.255.0,12h + dhcp-option=option:ntp-server,192.168.43.1 + log-queries + log-dhcp + notify: + - Restart dnsmasq-tornet0 + + - name: dnsmasq DNS and DHCP for tornet0 systemd + blockinfile: + path: /etc/systemd/system/dnsmasq-tornet0.service + create: yes + mode: "0444" + owner: root + group: root + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + [Unit] + Description=dnsmasq tornet0 DNS and DHCP + After=network.target + + [Service] + Type=forking + ExecStart=/usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq-tornet0.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -C /etc/dnsmasq-tornet0.conf --local-service + PIDFile=/run/dnsmasq/dnsmasq-tornet0.pid + KillMode=process + Restart=on-failure + + [Install] + WantedBy=multi-user.target + notify: + - Restart dnsmasq-tornet0 + + - name: 'add dnsmasq-tornet0 to startup' + command: systemctl enable dnsmasq-tornet0 + args: + creates: /etc/systemd/system/multi-user.target.wants/dnsmasq-tornet0.service + + - name: 'start dnsmasq-tornet0' + command: systemctl start dnsmasq-tornet0 + args: + creates: /run/dnsmasq/dnsmasq-tornet0.pid + + handlers: + + - name: Restart tornet0 + ansible.builtin.shell: ifdown tornet0 ; ifup tornet0 + + - name: Restart tor + service: + name: tor + state: restarted + + - name: Restart privoxy + service: + name: privoxy + state: restarted + + - name: Restart ufw + service: + name: ufw + state: restarted + + - name: Restart dnsmasq-tornet0 + service: + name: dnsmasq-tornet0 + state: restarted +