How to create a Tor-only network interface suitable for Firejail?

4

3

The well-known but unsafe method is to use torify. It is unsafe because we ask an application to use Tor, not force it. If the application misbehaves or is being exploided by a bug, it will still allow non-Tor connections to be made to the outside world.

Firejail, on the other hand, is a security tool that allows you to sandbox applications by providing them an isolated kernel namespace, seccomp filters and, what's important, an custom network stack.

So, how do I create a Tor-only network interface that could be fed to Firejail? According to Firejail documentation, it accepts any bridge network interface:

Firejail can attach a new TCP/IP networking stack to the sandbox. The new stack comes with its own routing table, firewall and set of interfaces. It is totally independent of the host network stack.

  • Create new interfaces – Linux kernel macvlan and bridge devices are created and moved automatically in the sandbox.
  • Move existing interfaces – existing interfaces can be moved inside the sandbox. The interface configuration is preserved.

VasyaNovikov

Posted 2016-04-22T12:08:07.200

Reputation: 2 329

Answers

4

Firejail with Tor HOWTO https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto/

I cannot verify that tor will work as outlined in the above article, however ssh forwarding using the same approach (i.e., a socks5 port) works fine.

user5321531

Posted 2016-04-22T12:08:07.200

Reputation: 151

'redirect traffic from bridge to http proxy' https://superuser.com/questions/1172607/redirect-traffic-from-bridge-to-http-proxy - I am currently using this configuration but with privoxy instead of tinyproxy, which will (as well as ad blocking) route HTTP requests through a SOCKS proxy.

– user5321531 – 2017-03-12T05:05:13.180

3

we've implemented another solution as firejail support --netns flag. in order to bind firejail inside a network namespace that could reach internet via tor only, the steps are:

# configure tor with this configuration
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 10.0.0.1
DNSPort 5354
DNSListenAddress 10.0.0.1
SOCKSPort 0

then..

# create a new network namespace named torjail
ip netns add torjail

# create two virtual ethernet  interface
ip link add out-torjail type veth peer name in-torjail

# bind one interface to torjail network namespace
ip link set in-torjail netns torjail

# set interfaces ip and default routing
ip addr add 10.0.0.1/24 dev out-torjail
ip link set out-torjail up
ip netns exec torjail ip addr add 10.0.0.2/24 dev in-torjail
ip netns exec torjail ip link set in-torjail up
ip netns exec torjail ip route add default via 10.0.0.1

# forward all dns traffic to tor DNSPort
iptables -t nat -A  PREROUTING -i out-torjail -p udp -d 10.0.0.1 --dport 53 -j DNAT --to-destination 10.0.0.1:5354

# forward all traffic to tor TransPort
iptables -t nat -A  PREROUTING -i out-torjail -p tcp --syn -j DNAT --to-destination 10.0.0.1:9040

# accept established connection
iptables -A OUTPUT -m state -o out-torjail --state ESTABLISHED,RELATED -j ACCEPT

# accept only forwarded traffic
iptables -A INPUT -i out-torjail -p udp --destination 10.0.0.1 --dport 5354 -j ACCEPT
iptables -A INPUT -i out-torjail -p tcp --destination 10.0.0.1 --dport 9040 -j ACCEPT
iptables -A INPUT -i out-torjail -p udp --destination 10.0.0.1 --dport 9040 -j ACCEPT
iptables -A INPUT -i out-torjail -j DROP


# finally run firejail within torjail namespace
firejail --dns=10.0.0.1 --netns=torjail $YOUR_ANONYMOUS_COMMAND_HERE

we've implemented this method in torjail for a simple usage, take a look:

https://torjail.github.io
https://github.com/torjail/torjail

les

Posted 2016-04-22T12:08:07.200

Reputation: 31

Asked: 2016-04-22T12:08:07.200

Viewed: 2 899 times

Active: 2018-07-26T11:39:04.750