With the new firewall4 system how one could accomplish redirection to Tor TransPort
With the previous setup I could make it with:
iptables -tnat -I PREROUTING -i br-lan -p tcp -d 0.0.0.0/0 --dport 80 -j REDIRECT --to-ports 9040
You can create the same rule using uci and it will be translated into an nftables redirect rule.
uci add firewall redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='Redirect-HTTP-to-Tor'
uci set firewall.@redirect[-1].proto='tcp'
uci set firewall.@redirect[-1].src='lan'
uci set firewall.@redirect[-1].src_dport='80'
uci set firewall.@redirect[-1].dest_port='9040'
uci commit firewall
fw4 restart
If you want to check the result:
nft list chain inet fw4 dstnat_lan
2 Likes
great, thanks!
pavelgl,
I don't know why, but this is not working for me. It creates a port-forwards rule, not a traffic rule?
# nft list chain inet fw4 dstnat_lan
table inet fw4 {
chain dstnat_lan {
ip saddr 192.168.100.0/24 ip daddr 192.168.117.174 tcp dport 122 dnat ip to 192.168.100.1:22 comment "!fw4: ssh forward (reflection)"
ip saddr 192.168.100.0/24 ip daddr 192.168.117.174 tcp dport 80 dnat ip to 192.168.100.1:80 comment "!fw4: http forward (reflection)"
ip saddr 192.168.100.0/24 ip daddr 192.168.117.174 tcp dport 443 dnat ip to 192.168.100.1:443 comment "!fw4: https forward (reflection)"
ip saddr 192.168.100.0/24 ip daddr 192.168.117.174 tcp dport 5201 dnat ip to 192.168.100.1:5201 comment "!fw4: iperf3 forward (reflection)"
ip saddr 192.168.100.0/24 ip daddr 192.168.117.174 udp dport 5201 dnat ip to 192.168.100.1:5201 comment "!fw4: iperf3 forward (reflection)"
meta nfproto ipv4 tcp dport 80 counter packets 4 bytes 256 redirect to :9040 comment "!fw4: Redirect-HTTP-to-Tor"
}
}
What did work was the following in firewall.user:
iptables -t nat -A PREROUTING -i lan -p udp --dport 53 -j REDIRECT --to-port 9053
iptables -t nat -A PREROUTING -i lan -p tcp --syn -j REDIRECT --to-port 9040
But until now I am not able to do this in fw4.
DG.
You cannot use "logical" interface names when creating custom iptables rules.
The rule will be created but it won't work. I assume you meant br-lan.
This rule can be created using uci.
I'm not sure you can use uci to create this one because I don't know if fw4 supports the option extra.
BTW it will redirect any tcp packet with syn flag to Tor and you won't be able to access the router unless you set some exceptions.
Your iptables rules translated into nftables syntax (with some corrections) should look like this:
cat << "EOF" > /etc/nftables.d/20-tor.nft
chain redirect_to_tor {
type nat hook prerouting priority -101;
iifname "br-lan" meta nfproto ipv4 udp dport 53 counter redirect to :9053
iifname "br-lan" meta nfproto ipv4 tcp flags syn fib daddr type != { local, broadcast } counter redirect to :9040
}
EOF
fw4 restart
2 Likes
pavelgl,
I'm more a hardware then software guy, so about firewalls I'm a noob.
The weird thing is, I tried -i br-lan instead of -i lan on a v21.02.2 OpenWrt VM for the rule:
iptables -t nat -A PREROUTING -i lan -p tcp --syn -j REDIRECT --to-port 9040, as you pointed out.
But then all clients have no internet anymore, behind Tor. (The proxy server is refusing connections)
The other rule however:
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 9053, does not matter br-lan or lan.
Could this be due to: br-lan = lan = eth0 (only 1 port) and wan = eth1 ?
network-config of the VM:
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fd12:1a2a:88ed::/48'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.110.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
option device 'br-lan'
config interface 'wan'
option _orig_ifname 'eth1'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.117.252'
option netmask '255.255.255.0'
option gateway '192.168.117.1'
option delegate '0'
option device 'eth1'
config interface 'tor'
option proto 'static'
option ipaddr '10.193.54.24'
option netmask '255.255.255.0'
option delegate '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
(the Tor interface is just virtual, not connected to anything)
It worked for me for over 5 years, but on v22.03.0 OpenWrt runs nftables instead of iptables and my firewall.user file is not be used anymore.
Looking for over 1 week to find any answer, not yet found a working solution.
Also tried your new config on a v22.03.0-rc6 machine, but so far no internet response on clients, they still can access the router.
With the new 20-tor.nft file, the check command: nft list chain inet fw4 dstnat_lan
Gives:
# nft list chain inet fw4 dstnat_lan
table inet fw4 {
chain dstnat_lan {
ip saddr 192.168.100.0/24 ip daddr 192.168.117.174 tcp dport 122 dnat ip to 192.168.100.1:22 comment "!fw4: ssh forward (reflection)"
ip saddr 192.168.100.0/24 ip daddr 192.168.117.174 tcp dport 80 dnat ip to 192.168.100.1:80 comment "!fw4: http forward (reflection)"
ip saddr 192.168.100.0/24 ip daddr 192.168.117.174 tcp dport 443 dnat ip to 192.168.100.1:443 comment "!fw4: https forward (reflection)"
ip saddr 192.168.100.0/24 ip daddr 192.168.117.174 tcp dport 5201 dnat ip to 192.168.100.1:5201 comment "!fw4: iperf3 forward (reflection)"
ip saddr 192.168.100.0/24 ip daddr 192.168.117.174 udp dport 5201 dnat ip to 192.168.100.1:5201 comment "!fw4: iperf3 forward (reflection)"
}
}
Where are the rules from the 20-tor.nft file?
DG.
Ok, I found where the rules go: Status / Firewall ( Not to confuse with Luci's: Network / Firewall ).
Although it doesn't work as required.
And no option (yet) within Luci WEB GUI to change these new fw4 settings?
DG.
No.
I've never used Tor before, but it took me less than 3 minutes to get it working (on 22.03.0-rc4) by reading the guide and using the predefined configuration.
root@OpenWrt:~# cat /etc/tor/custom
AutomapHostsOnResolve 1
AutomapHostsSuffixes .
VirtualAddrNetworkIPv4 172.16.0.0/12
#VirtualAddrNetworkIPv6 fc00::/7
DNSPort 0.0.0.0:9053
#DNSPort [::]:9053
TransPort 0.0.0.0:9040
#TransPort [::]:9040
root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/tor
config tor 'conf'
option default '/etc/tor/torrc'
option generated '/tmp/torrc'
list tail_include '/etc/tor/custom'
IPv6 was disabled by me.
Verify that Tor is listening on the specified ports:
root@OpenWrt:~# netstat -nlp | grep tor
tcp 0 0 0.0.0.0:9040 0.0.0.0:* LISTEN 4380/tor
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 4380/tor
udp 0 0 0.0.0.0:9053 0.0.0.0:* 4380/tor
Why do I see "lan" here?
Run the suggested code that creates additional fw4 rules again to rewrite /etc/nftables.d/20-tor.nft, but before that run
ifstatus lan | grep \"device | awk '{ print $2 }' | sed 's/[",]//g'
If you get something other than br-lan, change iifname accordingly.
Generate some traffic and check the rules for hits
root@OpenWrt:~# nft list chain inet fw4 redirect_to_tor
table inet fw4 {
chain redirect_to_tor {
type nat hook prerouting priority dstnat - 1; policy accept;
iifname "br-lan" meta nfproto ipv4 udp dport 53 counter packets 51 bytes 4026 redirect to :9053
iifname "br-lan" meta nfproto ipv4 tcp flags syn fib daddr type != { local, broadcast } counter packets 59 bytes 3068 redirect to :9040
}
}
Verify that you are using Tor.
1 Like
pavelgl,
Thanks alot for your info! I did not see the changes on the mentioned Guide after dec last year,
From now on I will follow that.
I have Tor working with OpenWrt v21.02.x on VMware and ZyXEL P-2812HNU-F1 until now,
but discovered that it didn't work on v22+, with my old settings.
A lot of the tor-transport items from the guide I have (and had) in torrc file.
But, some of them are changed, like VirtualAddrNetwork instead of VirtualAddrNetworkIPv4.
And yes Tor is running:
# netstat -nlp | grep tor
tcp 0 0 127.0.0.1:9040 0.0.0.0:* LISTEN 4792/tor
tcp 0 0 192.168.100.1:9050 0.0.0.0:* LISTEN 4792/tor
udp 0 0 127.0.0.1:9053 0.0.0.0:* 4792/tor
Although slightly different ip's? That I have to check / adjust (with Privoxy).
And I have also some issues with Tor 0.4.7.10, it's flooding it's logfile (1MB / min) with Heartbeat messages and 100% CPU on 1 core. Adjusting this in torrc does also nothing much: HeartbeatPeriod 90 weeks gives every 2 seconds a message, 1MB / hour.
But that's another (Tor) issue.
Quote: Why do I see "lan" here?
I just tried lan instead of br-lan, tried both. As lan did only works on v21.
On the new config it did not show any difference (yet).
Your command: ifstatus lan | grep "device | awk '{ print $2 }' | sed 's/[",]//g'
Returns nicely br-lan, so I should use that from now on.
It looks almost working, only no traffic yet.
# nft list chain inet fw4 redirect_to_tor
table inet fw4 {
chain redirect_to_tor {
type nat hook prerouting priority dstnat - 1; policy accept;
iifname "br-lan" meta nfproto ipv4 udp dport 53 counter packets 0 bytes 0 redirect to :9053
iifname "br-lan" meta nfproto ipv4 tcp flags syn fib daddr type != { local, broadcast } counter packets 0 bytes 0 redirect to :9040
}
}
In the guide they mention to install iptables-mod-extras, which at this moment is not available?
On v21 I've iptables in use, on the new build v22+ not even both.
Privoxy is also used on the older v21 and newer v22+ machines.
And that's the pulpit, Privoxy.
Had to adjust torrc with the right ip addresses (netstat -nlp | grep tor) and SocksPort need ip address:port due to Privoxy & Tor, not only port.
(Btw, I also don't use ipv6 
)
Have it all running now!
Although port 53 not showing any data traffic (nft list chain inet fw4 redirect_to_tor), most probably also due to Privoxy's filter, Tor does the DNS.
Thanks again pavelgl, especially for all command's which I won't forget !
DG.
not working on 22.03.0 and R7800
Can also confirm the wiki for setting up tor client does not work in 22.03.0. The only warning I get is about the extra arguments in the redirect rules. As far as I understand, this has to do with fw4 not using that parameter anymore. Has anybody sucessfully set up tor client in 22.03.0 using fw4 rules? Thanks.
Follow the guide, but replace
with
uci add firewall include
uci set firewall.@include[-1].type='nftables'
uci set firewall.@include[-1].path='/etc/tor.nft'
uci set firewall.@include[-1].position='chain-pre'
uci set firewall.@include[-1].chain='dstnat'
cat << "EOF" > /etc/tor.nft
iifname "br-lan" meta nfproto { ipv4, ipv6 } tcp flags syn fib daddr type != { local, broadcast } counter redirect to :9040
EOF
uci commit firewall
fw4 restart
Can confirm this works. Thank you!
thank you for this.
do i have to install iptables-mod-extra for this to work?