initial commit

this container with NET_ADMIN and NET_RAW privileges is fully inside the
tor router that it spins up.

Which is nice for itself, but then other container can link and use the
network as well.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>

Dockerfile

@@ -0,0 +1,31 @@
+# run a tor socks proxy in a container
+#
+# docker run -d \
+#	--restart always \
+#	-v /etc/localtime:/etc/localtime:ro \
+#	-p 9050:9050 \
+# 	--name torproxy \
+# 	jess/tor-proxy
+#
+FROM r.batts.cloud/debian:bookworm
+LABEL maintainer "vbatts <vbatts@hashbangbash.com>"
+
+RUN apt update && \
+    apt install -y --no-install-recommends tor iptables gosu && \
+    rm -rf /var/lib/apt/lists/*
+
+# expose socks port
+EXPOSE 9050
+
+# copy in our torrc file
+COPY torrc.default /etc/tor/torrc.ours
+COPY rc.firewall /etc/rc.firewall
+COPY entrypoint.sh /entrypoint.sh
+
+# make sure files are owned by tor user
+RUN chown -R debian-tor /etc/tor
+
+# running as limited user from inside the entrypoint.sh
+#USER debian-tor
+
+ENTRYPOINT [ "/entrypoint.sh" ]

docker-compose.yml

@@ -0,0 +1,18 @@
+version: "3"
+services:
+  tor:
+    build:
+      context: .
+      dockerfile: ./Dockerfile
+    read_only: true
+    tmpfs:
+      - /tmp
+    #network_mode: "host"
+    restart: 'unless-stopped'
+    volumes:
+      - torlib:/var/lib/tor
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+volumes:
+  torlib:

entrypoint.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -eu
+
+# first as root
+/bin/sh /etc/rc.firewall
+
+# then as limited user
+exec /usr/sbin/gosu debian-tor:debian-tor /usr/bin/tor -f /etc/tor/torrc.ours

rc.firewall

@@ -0,0 +1,40 @@
+#!/bin/sh
+set -eu
+### set variables
+#destinations you don't want routed through Tor
+_non_tor="192.168.1.0/24 192.168.0.0/24"
+
+#the UID that Tor runs as (varies from system to system)
+_tor_uid="$(id -u debian-tor)"
+
+#Tor's TransPort
+_trans_port="9040"
+_dns_port="5353"
+
+### flush iptables
+iptables -F
+iptables -t nat -F
+
+### set iptables *nat
+iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
+iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports $_dns_port
+
+#allow clearnet access for hosts in $_non_tor
+for _clearnet in $_non_tor 127.0.0.0/9 127.128.0.0/10; do
+   iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
+done
+
+#redirect all other output to Tor's TransPort
+iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
+
+### set iptables *filter
+iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+#allow clearnet access for hosts in $_non_tor
+for _clearnet in $_non_tor 127.0.0.0/8; do
+   iptables -A OUTPUT -d $_clearnet -j ACCEPT
+done
+
+#allow only Tor output
+iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
+iptables -A OUTPUT -j REJECT

torrc.default

@@ -0,0 +1,10 @@
+#User debian-tor
+SocksPort 0.0.0.0:9050
+#Log debug stderr
+Log warn stderr
+DataDirectory /var/lib/tor
+DataDirectoryGroupReadable 1
+AutomapHostsOnResolve 1
+DNSPort 5353
+TransPort 9040
+VirtualAddrNetworkIPv4 10.192.0.0/10