first commit
This commit is contained in:
commit
fd92b0fc7f
261
tornet.yml
Normal file
261
tornet.yml
Normal file
@ -0,0 +1,261 @@
|
||||
---
|
||||
- name: Tornet Debian Linux Setup
|
||||
hosts: defiant.dedyn.io tor-nas.dedyn.io
|
||||
tasks:
|
||||
|
||||
- name: Packages for tor
|
||||
apt:
|
||||
name:
|
||||
- tor
|
||||
- tor-geoipdb
|
||||
- privoxy
|
||||
- bridge-utils
|
||||
- ufw
|
||||
- dnsmasq
|
||||
update_cache: no
|
||||
install_recommends: no
|
||||
|
||||
- name: 'remove dnsmasq from startup'
|
||||
command: systemctl disable dnsmasq
|
||||
args:
|
||||
removes: /etc/systemd/system/multi-user.target.wants/dnsmasq.service
|
||||
|
||||
- name: 'stop dnsmasq'
|
||||
command: systemctl stop dnsmasq
|
||||
args:
|
||||
removes: /run/dnsmasq/dnsmasq.pid
|
||||
|
||||
- name: Tor Config
|
||||
blockinfile:
|
||||
path: /etc/tor/torrc
|
||||
create: yes
|
||||
mode: "0444"
|
||||
owner: root
|
||||
group: root
|
||||
insertbefore: BOF
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||
block: |
|
||||
# individual Tor-Config
|
||||
BridgeRelay 0
|
||||
SOCKSPort 0.0.0.0:9050
|
||||
ExitPolicy reject *:*
|
||||
#ControlPort 9051
|
||||
#HashedControlPassword 16:F7222A0CBC254E536056DCBBD27A7D051D68BCF1E9020681C0A3656B84
|
||||
# Seting up TOR transparent proxy for tor-router
|
||||
#VirtualAddrNetwork 10.192.0.0/10
|
||||
AutomapHostsOnResolve 1
|
||||
TransPort 0.0.0.0:9040
|
||||
DNSPort 0.0.0.0:5353
|
||||
# Falls outgping geblockt wird und nur 80/443 geht
|
||||
FascistFirewall 1
|
||||
backup: yes
|
||||
notify:
|
||||
- Restart tor
|
||||
|
||||
- name: Privoxy Config
|
||||
blockinfile:
|
||||
path: /etc/privoxy/config
|
||||
create: yes
|
||||
mode: "0444"
|
||||
owner: root
|
||||
group: root
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||
block: |
|
||||
# Privoxy-Tor-Connection
|
||||
listen-address 0.0.0.0:3128
|
||||
forward-socks5t / 127.0.0.1:9050 .
|
||||
backup: yes
|
||||
notify:
|
||||
- Restart privoxy
|
||||
|
||||
- name: Tor bridge
|
||||
blockinfile:
|
||||
path: /etc/network/interfaces.d/tornet0
|
||||
create: yes
|
||||
mode: "0444"
|
||||
owner: root
|
||||
group: root
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||
block: |
|
||||
auto tornet0
|
||||
iface tornet0 inet static
|
||||
bridge_ports none
|
||||
address 192.168.43.1
|
||||
broadcast 192.168.43.255
|
||||
netmask 255.255.255.0
|
||||
notify:
|
||||
- Restart tornet0
|
||||
|
||||
- name: start tornet0 if not exists
|
||||
ansible.builtin.command: ifup tornet0
|
||||
args:
|
||||
creates: /proc/sys/net/ipv6/conf/tornet0/disable_ipv6
|
||||
|
||||
- ansible.posix.sysctl:
|
||||
name: net.ipv6.conf.tornet0.disable_ipv6
|
||||
value: '1'
|
||||
state: present
|
||||
|
||||
- name: ufw firewall rules for transparent tor proxy in tornet0
|
||||
blockinfile:
|
||||
path: /etc/ufw/before.rules
|
||||
create: yes
|
||||
mode: "0440"
|
||||
owner: root
|
||||
group: root
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK for tornet0"
|
||||
insertbefore: BOF
|
||||
block: |
|
||||
*nat
|
||||
:POSTROUTING ACCEPT - [0:0]
|
||||
# Route network 192.168.43.0/24 (tornet0) to transparent Tor-Proxy (udp not supported by Tor)
|
||||
# Activate "normal" routing for non-Internet Networks
|
||||
-A POSTROUTING -s 192.168.43.0/24 -j MASQUERADE
|
||||
-A PREROUTING -i tornet0 -d 127.0.0.0/8 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 10.0.0.0/8 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 192.168.0.0/16 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 172.16.0.0/12 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 0.0.0.0/8 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 100.64.0.0/10 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 169.254.0.0/16 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 192.0.0.0/24 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 192.0.2.0/24 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 192.88.99.0/24 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 198.18.0.0/15 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 198.51.100.0/24 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 203.0.113.0/24 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 224.0.0.0/4 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 240.0.0.0/4 -j RETURN
|
||||
-A PREROUTING -i tornet0 -d 255.255.255.255/32 -j RETURN
|
||||
# Redirect all TCP-Connections to transparent Tor-Proxy
|
||||
-A PREROUTING -i tornet0 -s 192.168.43.0/24 -p tcp --syn -j REDIRECT --to-ports 9040
|
||||
# Redirect DNS to TorDNS
|
||||
-A PREROUTING -i tornet0 -s 192.168.43.0/24 -d 192.168.43.1 -p udp --dport 53 -j REDIRECT --to-ports 5353
|
||||
# Redirect all non TCP-Connections into nirvana because Tor only speaks TCP
|
||||
-A PREROUTING -i tornet0 -s 192.168.43.0/24 ! -p tcp -j DNAT --to 127.0.0.1:1
|
||||
COMMIT
|
||||
notify:
|
||||
- Restart ufw
|
||||
|
||||
- name: Allow Routing
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
route: yes
|
||||
interface_in: tornet0
|
||||
|
||||
- name: Allow all access to tcp port 53/udp (dns)
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: '53'
|
||||
proto: udp
|
||||
interface: tornet0
|
||||
direction: in
|
||||
|
||||
- name: Allow access to dhcp server
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: '67'
|
||||
proto: udp
|
||||
interface: tornet0
|
||||
direction: in
|
||||
|
||||
- name: Allow access to NTP server
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: '123'
|
||||
proto: udp
|
||||
interface: tornet0
|
||||
direction: in
|
||||
|
||||
- name: Allow access to tor
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: '9040'
|
||||
proto: tcp
|
||||
interface: tornet0
|
||||
direction: in
|
||||
|
||||
- name: dnsmasq DNS and DHCP for tornet0
|
||||
blockinfile:
|
||||
path: /etc/dnsmasq-tornet0.conf
|
||||
create: yes
|
||||
mode: "0444"
|
||||
owner: root
|
||||
group: root
|
||||
insertbefore: BOF
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||
block: |
|
||||
port=53
|
||||
interface=tornet0
|
||||
listen-address=192.168.43.1
|
||||
bind-interfaces
|
||||
except-interface=lo
|
||||
domain-needed
|
||||
bogus-priv
|
||||
dhcp-range=192.168.43.100,192.168.43.200,255.255.255.0,12h
|
||||
dhcp-option=option:ntp-server,192.168.43.1
|
||||
log-queries
|
||||
log-dhcp
|
||||
notify:
|
||||
- Restart dnsmasq-tornet0
|
||||
|
||||
- name: dnsmasq DNS and DHCP for tornet0 systemd
|
||||
blockinfile:
|
||||
path: /etc/systemd/system/dnsmasq-tornet0.service
|
||||
create: yes
|
||||
mode: "0444"
|
||||
owner: root
|
||||
group: root
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||
block: |
|
||||
[Unit]
|
||||
Description=dnsmasq tornet0 DNS and DHCP
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
ExecStart=/usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq-tornet0.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -C /etc/dnsmasq-tornet0.conf --local-service
|
||||
PIDFile=/run/dnsmasq/dnsmasq-tornet0.pid
|
||||
KillMode=process
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
notify:
|
||||
- Restart dnsmasq-tornet0
|
||||
|
||||
- name: 'add dnsmasq-tornet0 to startup'
|
||||
command: systemctl enable dnsmasq-tornet0
|
||||
args:
|
||||
creates: /etc/systemd/system/multi-user.target.wants/dnsmasq-tornet0.service
|
||||
|
||||
- name: 'start dnsmasq-tornet0'
|
||||
command: systemctl start dnsmasq-tornet0
|
||||
args:
|
||||
creates: /run/dnsmasq/dnsmasq-tornet0.pid
|
||||
|
||||
handlers:
|
||||
|
||||
- name: Restart tornet0
|
||||
ansible.builtin.shell: ifdown tornet0 ; ifup tornet0
|
||||
|
||||
- name: Restart tor
|
||||
service:
|
||||
name: tor
|
||||
state: restarted
|
||||
|
||||
- name: Restart privoxy
|
||||
service:
|
||||
name: privoxy
|
||||
state: restarted
|
||||
|
||||
- name: Restart ufw
|
||||
service:
|
||||
name: ufw
|
||||
state: restarted
|
||||
|
||||
- name: Restart dnsmasq-tornet0
|
||||
service:
|
||||
name: dnsmasq-tornet0
|
||||
state: restarted
|
||||
|
Loading…
Reference in New Issue
Block a user