Support for openSUSE (Tumbleweed) about toriptables2 HOT 57 CLOSED

Error 1: iptables v1.6.0: owner: Bad value for "--uid-owner"

[1] It's looking for debian base distro's tor user name. Look in your /etc/group file for the tor user name.
Try this fix: Replace debian-tor with suse tor user name
Line 29: self.tor_uid = getoutput("id -ur debian-tor")

Error 2: [!] Command failed: ['service', 'tor', 'restart']

[2] Suse is using systemctl, were as debian uses service
Try this fix:
Line 54: tor_restart = check_call(["service", "tor", "restart"],
Replace with:
Line 54: tor_restart = check_call(["systemctl", "restart", "tor.service"],

Note: I don't have a Suse box handy to test it. Let me know if you are still having problems.

from toriptables2.

Look in your /etc/group file for the _tor_ user name.

Thanks for your help, but there currently is none. Have a look in your E-Mails, please.

Line 54: tor_restart = check_call(["service", "tor", "restart"],
Replace with:
Line 54: tor_restart = check_call(["systemctl", "start", "tor.service"]

I've added the second fix and will wait for your reply on your answer on the first.
Are you going to update your script after I've confirmed that these fixes work?

from toriptables2.

1. Is tor installed? Or look in /etc/passwd
2. It probably uses the name tor, and NOT debian-tor
3. The script was written for pentesting distros (kali linux). Which most
   are Debian base (apt-get).
4. If I were to add other distros (I tried), it will require checking eg.
   sysV or systemd or upstart and tor username (id) ... The user id is the tough one to get right.

Once you get it working. I can post a how-to for rpm based distros.
If it's simple enough, I can do #4. The tricky part is getting the tor
user id right (every time) on all distros.

Let's see what the fix looks like, then I can write a patch for you and a
script to patch it.

Your main problem now is finding the tor user name. I don't have a Suse
box i can spin up right now. Time is my enemy :(

Let me know your findings ...

from toriptables2.

1. Is tor installed? Or look in /etc/passwd

Acually, I am only using the torbrowser-launcher, which was installable via YaST or the terminal command zypper in torbrowser-launcher. So there is nothing related to be found in /etc/passwd either.

from toriptables2.

1. You need to install the_ official tor binary_ from your repo or tor website.
2. Type_ tor_ at the command line. You should get back some stuff ....
3. Then look again ... Or try the default name "tor"

from toriptables2.

1. You need to install the_ official tor binary_ from your repo or tor website.

Did that, worked flawlessly.

1. Type_ tor_ at the command line. You should get back some stuff ....

Did that, tor boostraps and connects as it should.

1. Then look again ... Or try the default name "tor"

Tried your script again after modifying line 54 to say tor_restart = check_call(["systemctl", "start", "tor.service"] and changed debain-tor to tor. Result: [!] Can't get public ip address!

from toriptables2.

1. Better ...
2. Run the test on check.torproject.org
3. If the tor node is slow, It may timeout fetching your public Ip address hence the error.
   The error doesn't mean you are not aonymized... The message should state that it means slow node.
4. Rerun the script -- It will get a new ip address (node).

To check the iptables rules:

iptables -S
iptables -S  -t nat

from toriptables2.

1. Run the test on check.torproject.org

When running sudo tor via command line and checking via the normal browser, the check fails.

1. Rerun the script -- It will get a new ip address (node).

I did in a separate terminal window while sudo tor ran in the other one. Result:

[!] Command failed: ['systemctl', 'start', 'tor.service']

from toriptables2.

My Error:
['systemctl', 'start', 'tor.service']
Correction:
['systemctl', 'restart', 'tor.service']
Or:
['service', 'tor', 'restart']

Try it on the command line to see if it start.

from toriptables2.

1. You may need to enable systemd to allow the service to start.

How to do that?

1. Make sure the systemctl sysntax is correct. Try it on the command line. Get it to start from the command first. Configure systemctl to enable the tor service to start.

Gosh, even more shit to cope with. Can't you add your awesome work via pull request to torbrowser-launcher to solve my freshly opened Issue torproject/torbrowser-launcher#223? That would be lovely!

from toriptables2.

I'll test it on a redhat box and give you the changes.
Give me a few ...
Hang tight ...

Try the fix above in the mean time. The error could be that it was already started. The command should be restart NOT start.

from toriptables2.

Give me a few ...

Don't hurry. I've learned that the best things come to those who are willing to be patient.

from toriptables2.

See my error ... in post above. You might be OK.
I'll still test it right quick.

from toriptables2.

OK. My findings

1. I'm using a Centos 7 box
2. To start the tor service, it uses the old service command.
   Revert back to Line 54 originalservice tor restart statement.

I'm have some issuses with it starting and running on Centos, too lockdown. See correction fix above.

from toriptables2.

Did it work?
Can I close this issue?

from toriptables2.

Did it work?

Thanks for your wondeful support here. No, unfortunately it did not work yet. Both using ['systemctl', 'restart', 'tor.service'] or tor_restart = check_call(['service', 'tor', 'restart'] did not work, I'm still getting the [!] Can't get public ip address! message. What else to test?

from toriptables2.

Run the command from the command line to see which on starts the tor service
service tor restrart
or
systemctl restart tor.service
Run the iptables command to see if the rules were loaded.

iptables -S
iptables -S -t nat

from toriptables2.

Run the command from the command line to see which on starts the tor service
service tor restrart

Did that and it seems to have worked.

Run the iptables command to see if the rules were loaded.
iptables -S
iptables -S -t nat

Done. What do these outpouts tell you?

from toriptables2.

If the iptables rules are set. New distros use firewalld.
Look at the second screenshot in the Readme. It should look like that.

from toriptables2.

If the iptables rules are set. New distros use firewalld.

I am using the bleeding edge version of openSUSE, called Tumbleweed. The only output I get is this:

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

from toriptables2.

1. Open a python interpreter as root in the directory were toriptables2.py file is located.
   eg.sudo python

This flushes all iptables rules

>>> import toriptables2
>>> a = toriptables2.TorIptables()
>>> a.flush_iptables_rules()

This load the rules

>>> import toriptables2
>>> a = toriptables2.TorIptables()
>>> a.load_iptables_rules()

2. See if the rules are now set ...

from toriptables2.

Thanks @ruped24. These commands work, but when loading them I have no internet at all anymore. Aren't you able to add support for openSUSE out of the box and add the script to torbrowser-launcher?

from toriptables2.

I peeked at the code. He is building a rpm package. I would have to look into it more... Right now, time is my enemy. I'll see if it's possible. Thx for showing me that project. I didn't know about it.

I initially was targeting pentesting distros, which must if not all are deb base.
I'm not going to say change distro, but it works on *buntu, mint, etc.
Give it a try in a VM ...

from toriptables2.

but when loading them I have no internet at all anymore

Check bottom of your /etc/tor/torrc for these lines:

## Inserted by toriptables2.py for tor iptables rules set
## Transparently route all traffic thru tor on port 9040
VirtualAddrNetwork 10.0.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53

from toriptables2.

I initially was targeting pentesting distros, which must if not all are deb base.

Are these tables already included in my favourite privacy distro Tails? I guess so.

## Inserted by toriptables2.py for tor iptables rules set
## Transparently route all traffic thru tor on port 9040
VirtualAddrNetwork 10.0.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53

from toriptables2.

Yes. Leave the comments. It screwed up "this" format.

from toriptables2.

Yes. Leave the comments. It screwed up "this" format.

What I would like to essentially accomplish, is to make your script work in the background to automatically start up when I boot my computer. When connecting to any network, I'd like it to anonymize all traffic. But I have not yet been able to make your script work as it should. Are you going to make a pull request to towbrowser-launcher to add this functionality? :) I know people will love the easyness of a unified setup.

from toriptables2.

... have not yet been able to make your script work as it should.

Unfortunately, I had a narrow target, just the *buntu or debian.

Are you going to make a pull request to towbrowser-launcher to add this functionality? :)

I'll look into it. I can't give you a firm date.

from toriptables2.

Unfortunately, I had a narrow target, just the *buntu or debian.

Can you try to make it work with openSUSE Tumbleweed?

I'll look into it. I can't give you a firm date.

No problem, take your time.

from toriptables2.

I'll spin your distro and get it to work. I need some time tho. Not very long.
If you can point me to a live version of Tumbleweed that I don't have to install, I can do it quick.

from toriptables2.

I'll spin your distro and get it to work. I need some time tho. Not very long.

Sounds wonderful!

If you can point me to a live version of Tumbleweed that I don't have to install, I can do it quick.

Tumbleweed is just the name for the full rolling release. I guess using this older Live CD should work.

from toriptables2.

Got the iso, looking at it now. Hang tight.

from toriptables2.

Got it!. I'll send you a link to the screenshot and post the changes.

from toriptables2.

Got it!. I'll send you a link to the screenshot and post the changes.

Neat! So will you update your script with auto-detection of openSUSE right away?

from toriptables2.

Here is the screenshot:
http://bit.ly/1p8FAG9

Here is a pastebin link:
http://pastebin.com/yYvFUFDh

The changes were what I stated before in a previous post.
Tor user name = tor
systemctl restart tor.service

from toriptables2.

Here is the screenshot

Whoo-hooo, I'm excited! 😸 How to make your script launch and connect on bootup so that no traffic is leaking without ever being routed through Tor? I'm secretly hoping you update your script with it.

Here is a pastebin link

Just as as a security note: Do not use Pastebin any more, they censor stuff. Use PIEBIN instead. ;-)

from toriptables2.

How to make your script launch and connect on bootup
Put it in/etc/rc.local

make sure it's in your path.

chmod +x mv toriptables2.py /usr/local/bin

Cool. It's set to expire in a week.
Thx for the note.

from toriptables2.

Put it in /etc/rc.local

Done. Your script has been renamed to rc.local and moved to /etc/. Hope that is right.

sudo chmod +x toriptables2.py && mv toriptables2.py /usr/local/bin

Done. Will this make sure that no traffic is leaking without being anonymized at startup?

from toriptables2.

Done. Your script has been renamed to rc.local and moved to /etc/. Hope that is right.

That's wrong.

gedit /etc/rc.local

Insert
python /usr/local/bin/toriptables2.py

chmod +x /etc/rc.local
chmod +x /usr/local/bin/toriptables2.py

That will need to start before networking. Change the priority. See Suse wiki.

from toriptables2.

Did the modifications work?

from toriptables2.

That will need to start before networking. Change the priority. See Suse wiki.

I've been searching like crazy on how to set the priority of that moved script. Please hlep me there.

Did the modifications work?

I tested the modified script right after you posted it and still got this: [!] Can't get public ip address! when flushing, I still have no internet connection at all and need to restart the computer. What's wrong?

from toriptables2.

tested the modified script right after you posted it and still got this: [!] Can't get public ip address!

Unless they changed something in Tumbleweed (bleeding edge). Dunno

Try it on the iso you sent me. See if it work on that.
If yes, Then, Tumbleweed has changed something.

from toriptables2.

Try it on the iso you sent me. See if it work on that.

I can't download that in the moment.

If yes, Then, Tumbleweed has changed something.

Where to look exactly? Maybe I'm just loading the script worng? I'm doing this the whole time:

SecUpwN@GLaDOS:~> sudo python /home/SecUpwN/toriptables2.py -l

from toriptables2.

That's not the problem. I'm thinking --- you need to tell systemd to allow the service to start.
Try: sudo systemctl enable tor.service

from toriptables2.

Result:

Created symlink from /etc/systemd/system/multi-user.target.wants/tor.service to /usr/lib/systemd/system/tor.service.

But this is strange:

SecUpwN@GLaDOS:~> toriptables2.py
usage: toriptables2.py [-h] [-l] [-f]

Tor Iptables script for loading and unloading iptables rules

optional arguments:
  -h, --help   show this help message and exit
  -l, --load   This option will load tor iptables rules
  -f, --flush  This option flushes the iptables rules to default

SecUpwN@GLaDOS:~> toriptables2.py -l
[!] Run as super user: No such file or directory

SecUpwN@GLaDOS:~> sudo toriptables2.py -l
sudo: toriptables2.py: Command not found

from toriptables2.

SecUpwN@GLaDOS:~> sudo toriptables2.py -l
sudo: toriptables2.py: Command not found

sudo python toriptables2.py -l

from toriptables2.

SecUpwN@GLaDOS:~> sudo python toriptables2.py -l
root's password:
python: can't open file 'toriptables2.py': [Errno 2] No such file or directory

from toriptables2.

You need to be where the file exist.

from toriptables2.

You need to be where the file exist.

Gosh, how could I forget that? Unfortunately, I still get [!] Can't get public ip address!. What to do?

from toriptables2.

I'm running out of suggestions. It looks to be the distro has done somethings different from the iso you sent me. Spin-up the iso in a vm and try it and compare ... Without having that distro to test it on, I'm only guessing ...

from toriptables2.

I'm running out of suggestions. It looks to be the distro has did somethings different for the iso you sent me.

I begin to supsect the whole thing could be errors on my part. Could you maybe update your script so that it installs itself and sets the right permissions in the right places to verify it is indeed the distro failing?

from toriptables2.

Could you maybe update your script

That will break it on kali linux (pentesting community).
That was the target. It works as intended on the target.

from toriptables2.

That will break it on kali linux (pentesting community).
That was the target. It works as intended on the target.

Fair. How to do a full stacktrace so that you can see the core error?

from toriptables2.

My conclusion:

It works with the change on Suse 13.
It works on Debian base distro.

I have no idea how your environment is setup.

1. Run a debian base distro in a vm
2. Run it on Suse 13 in a vm

I've reached the end of the road on this. I'll be closing this issue.
It looks to be something in your setup. I'm out of time on this.

I hope you find a solution...

from toriptables2.

Only thing is left, is to give me access ;)
That's not something you want to do.

from toriptables2.

Closed:
Bleeding edge distro.

from toriptables2.

@ruped24, thanks for everything you tried though. I'll keep testing your script and will notify you once it's working and what I did to accomplish that. Please help adding torproject/torbrowser-launcher#223.

from toriptables2.