2
I'm trying to set up a tor-relay.
In order to allow tor to present a static web page explaining what it is I want the server to listen on port 80 and 443.
In order to allow tor to use accounting/hibernation (throttle bandwidth after a data limit has been reached) I need the process to bind to >1024 port numbers (so that a non-privileged user can rebind the ports I guess).
Hence my tor configuration looks like such:
ORPort 443 NoListen
ORPort 127.0.0.1:9090 NoAdvertise
DirPort 80 NoListen
DirPort 127.0.0.1:9091 NoAdvertise
DirPortFrontPage /etc/tor/tor-exit-notice.html
After starting the server I can access the html-file localy:
$ wget 127.0.0.1:9091
--2013-08-12 14:27:49-- http://127.0.0.1:9091/
Connecting to 127.0.0.1:9091... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6762 (6.6K) [text/html]
Saving to: `index.html'
100%[=============================>] 6,762 --.-K/s in 0.005s
2013-08-12 14:28:15 (1.21 MB/s) - `index.html' saved [6762/6762]
And the ports seem opened properly:
$ sudo netstat -lnp | grep tor
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 6328/tor
tcp 0 0 127.0.0.1:9090 0.0.0.0:* LISTEN 6328/tor
tcp 0 0 127.0.0.1:9091 0.0.0.0:* LISTEN 6328/tor
In order to get the last part working, where connections on 0.0.0.0:80 are redirected to 127.0.0.1:9091 I've tried using iptables.
$ sudo iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT --to-destination 127.0.0.1:9090
$ sudo iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 127.0.0.1:9091
$ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:127.0.0.1:9090
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:127.0.0.1:9091
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
But when I connect to the external ip on port 80 I get no response.
I've tried with ip_forward both on and off, neither works:
$ sudo sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
$ sudo sysctl net.ipv4.ip_forward=0
net.ipv4.ip_forward = 0
I've even tried MASQUERADE-ing, but it does'nt work, and I don't think it should be necessary:
$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
I've also tried PREROUTING per suggestion below, but it does not work:
$ sudo iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 127.0.0.1:9091
iptables v1.4.14: REDIRECT: Bad value for "--to-ports" option: "127.0.0.1:9091"
Try `iptables -h' or 'iptables --help' for more information.
What am I doing wrong?
The server is a raspberry pi, running wheezy with only the built in network interface connected directly to the internet with a public ip.
azzid
Posted 2013-08-12T12:48:02.123
Reputation: 353
Does not seem to work.
iptables v1.4.14: REDIRECT: Bad value for "--to-ports" option: "127.0.0.1:9091"– azzid – 2013-09-25T10:42:46.390Didn't work, but this did: sudo iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-ports 9030 – Ihmahr – 2013-12-11T13:01:19.050