initial commit

this container with NET_ADMIN and NET_RAW privileges is fully inside the
tor router that it spins up.

Which is nice for itself, but then other container can link and use the
network as well.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
This commit is contained in:
Vincent Batts 2024-06-21 14:49:14 -04:00
parent ebc37e3d7e
commit a237673e5c
5 changed files with 107 additions and 0 deletions

31
Dockerfile Normal file
View file

@ -0,0 +1,31 @@
# run a tor socks proxy in a container
#
# docker run -d \
# --restart always \
# -v /etc/localtime:/etc/localtime:ro \
# -p 9050:9050 \
# --name torproxy \
# jess/tor-proxy
#
FROM r.batts.cloud/debian:bookworm
LABEL maintainer "vbatts <vbatts@hashbangbash.com>"
RUN apt update && \
apt install -y --no-install-recommends tor iptables gosu && \
rm -rf /var/lib/apt/lists/*
# expose socks port
EXPOSE 9050
# copy in our torrc file
COPY torrc.default /etc/tor/torrc.ours
COPY rc.firewall /etc/rc.firewall
COPY entrypoint.sh /entrypoint.sh
# make sure files are owned by tor user
RUN chown -R debian-tor /etc/tor
# running as limited user from inside the entrypoint.sh
#USER debian-tor
ENTRYPOINT [ "/entrypoint.sh" ]

18
docker-compose.yml Normal file
View file

@ -0,0 +1,18 @@
version: "3"
services:
tor:
build:
context: .
dockerfile: ./Dockerfile
read_only: true
tmpfs:
- /tmp
#network_mode: "host"
restart: 'unless-stopped'
volumes:
- torlib:/var/lib/tor
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
torlib:

8
entrypoint.sh Executable file
View file

@ -0,0 +1,8 @@
#!/bin/sh
set -eu
# first as root
/bin/sh /etc/rc.firewall
# then as limited user
exec /usr/sbin/gosu debian-tor:debian-tor /usr/bin/tor -f /etc/tor/torrc.ours

40
rc.firewall Normal file
View file

@ -0,0 +1,40 @@
#!/bin/sh
set -eu
### set variables
#destinations you don't want routed through Tor
_non_tor="192.168.1.0/24 192.168.0.0/24"
#the UID that Tor runs as (varies from system to system)
_tor_uid="$(id -u debian-tor)"
#Tor's TransPort
_trans_port="9040"
_dns_port="5353"
### flush iptables
iptables -F
iptables -t nat -F
### set iptables *nat
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports $_dns_port
#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/9 127.128.0.0/10; do
iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
done
#redirect all other output to Tor's TransPort
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
### set iptables *filter
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/8; do
iptables -A OUTPUT -d $_clearnet -j ACCEPT
done
#allow only Tor output
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
iptables -A OUTPUT -j REJECT

10
torrc.default Normal file
View file

@ -0,0 +1,10 @@
#User debian-tor
SocksPort 0.0.0.0:9050
#Log debug stderr
Log warn stderr
DataDirectory /var/lib/tor
DataDirectoryGroupReadable 1
AutomapHostsOnResolve 1
DNSPort 5353
TransPort 9040
VirtualAddrNetworkIPv4 10.192.0.0/10