Join Log in
Score:0
radio_24 avatar Server

How to exclude a domain from being routed through tor using iptables

tw flag
radio_24

I'm running a tor router on a Raspberry Pi with following iptables rules (wlan0: internal net with clients / wlan1: Internet):

:INPUT DROP [12:3771]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [544:242321]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -s 192.0.0.0/8 -i wlan0 -j LOG --log-prefix "SPOOFED PKT "
-A INPUT ! -s 192.0.0.0/8 -i wlan0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i wlan0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT ! -s 127.0.0.1/32 ! -d 127.0.0.1/32 ! -o lo -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -j DROP
COMMIT
# Completed on Sat Mar 18 22:30:17 2023
# Generated by iptables-save v1.8.7 on Sat Mar 18 22:30:17 2023
*nat
:PREROUTING ACCEPT [609109:124689904]
:INPUT ACCEPT [272613:29686827]
:OUTPUT ACCEPT [2131:306630]
:POSTROUTING ACCEPT [1583:253278]
-A PREROUTING -d 192.168.42.1/32 -i wlan0 -p tcp -j REDIRECT
-A PREROUTING -i wlan0 -p tcp -j REDIRECT --to-ports 9040
-A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
-A PREROUTING -i wlan0 -p udp -j REDIRECT --to-ports 9040
-A POSTROUTING -o wlan1 -j MASQUERADE
COMMIT

All is working fine. Using the browser on the client (connected to wlan0) to reach https://check.torproject.org/ shows that tor is used. I would like to add ip tables rules to exclude certain domains from being routed through tor. These domains should be forwarded from the client to the destination and directly connect to the destination as we have with a simple NAT/MASQUERADING situation. For example, if we set the rule to exclude check.torproject.org (or the equivalent IP address we get from dig check.torproject.org +short), using the browser on the client should show me that tor is not anymore used.

I tried the following command to add such a rule:

sudo iptables -t nat -I PREROUTING 1 -i wlan0 -d `dig check.torproject.org +short`/32 -j ACCEPT

and alternatively:

sudo iptables -t nat -I PREROUTING 3 -i wlan0 -d <IPADRESS>/32 -j ACCEPT

I also tried it in combination with:

sudo iptables -I FORWARD 1 -i wlan0 -d <IPADRESS>/32 -j ACCEPT

In all these cases, the browser on the client, loading https://check.torproject.org/ will do it forever. It seems that the browser doesn't get any response back. Do I have to add another iptables rule, or am I completely wrong?

144
2 + 3
in flag
Gerald Schneider
Please don't add "solved" to your question, instead add the solution as an answer and accept it. Otherwise the question will stay as unsolved in the system forever.
2
Reply
HBruijn avatar
in flag
HBruijn
https://serverfault.com/help/self-answer
0
Reply
radio_24 avatar
tw flag
radio_24
Thanks, changed as recommended.
0
Reply
Score:1
radio_24 avatar Server
tw flag
radio_24

After hours of trying and researching, I decided to take a different approach and to use ipset. Based on the already existing configuration (see the iptables dump in the top), I had to use the following commands:

# Create and configure clearnet-list with ipset
sudo ipset create clearnet-list hash:ip
sudo ipset add clearnet-list <IPADDRESS> -exist

# -i is the interface where the clients are connected to the TorBox
# Delete rules, which are not needed anymore
sudo iptables -t nat -D PREROUTING -i wlan0 -p tcp -j REDIRECT --to-ports 9040
sudo iptables -t nat -D PREROUTING -i wlan0 -p udp -j REDIRECT --to-ports 9040

# Add new rules with ipset / clearnet-list support --> IP addresses, which are NOT on the clearnet-list are routed through tor (which means: most of them)
sudo iptables -t nat -I PREROUTING 3 -i wlan0 -m set ! --match-set clearnet-list dst -p tcp -j REDIRECT --to-port 9040
sudo iptables -t nat -I PREROUTING 7 -i wlan0 -m set ! --match-set clearnet-list dst -p udp -j REDIRECT --to-port 9040

# -i is the interface with the clients / -o is the interface with the Internet on it
# IP addresses, which are on the clearnet-list are directly routed through the Internet without tor
sudo iptables -I FORWARD 2 -i wlan0 -o eth0 -m set --match-set clearnet-list dst -j ACCEPT

# -i is the interface with the Internet on it / -o is the interface with the clients
# This rule is needed to route the the responses back to the client
sudo iptables -I FORWARD 1 -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+ 0
Score:0
Hawshemi avatar Server
kz flag
Hawshemi

You need to add rules to the PREROUTING chain of the nat table. The rules you have tried to add are not correct because they only allow incoming traffic to the excluded domains, not outgoing traffic.

EXAMPLE:

sudo iptables -t nat -I PREROUTING 1 -i wlan0 -d 138.201.14.212/32 -j RETURN

This rule should be added before the existing rules that redirect traffic to Tor.

You need to use the IP address of the domain you want to exclude, not its hostname because iptables works with IP addresses, not hostnames.

Some websites could be using multiple IP addresses or CDNs, so you may need to exclude multiple IP addresses to fully bypass Tor for these websites.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.