Delivery-Date: Mon, 02 Jun 2014 06:11:15 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by moria.seul.org (Postfix) with ESMTPS id 320C21E0899
	for <archiver@seul.org>; Mon,  2 Jun 2014 06:11:14 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 89BC42E8A8;
	Mon,  2 Jun 2014 10:11:12 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 10A4829B0A
 for <tor-talk@lists.torproject.org>; Mon,  2 Jun 2014 10:01:21 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id kOSffj6Up0Cd for <tor-talk@lists.torproject.org>;
 Mon,  2 Jun 2014 10:01:21 +0000 (UTC)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id E28DE26F12
 for <tor-talk@lists.torproject.org>; Mon,  2 Jun 2014 10:01:17 +0000 (UTC)
Received: from fulvetta.riseup.net (fulvetta-pn.riseup.net [10.0.1.75])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified))
 by mx1.riseup.net (Postfix) with ESMTPS id 50D7452525
 for <tor-talk@lists.torproject.org>; Mon,  2 Jun 2014 03:01:15 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (Authenticated sender: cyrus_the_great@fulvetta.riseup.net)
 with ESMTPSA id 30912229
Message-ID: <538C4B63.5080409@riseup.net>
Date: Mon, 02 Jun 2014 10:01:07 +0000
From: Cyrus <cyrus_the_great@riseup.net>
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
X-Virus-Scanned: clamav-milter 0.98.1 at mx1
X-Virus-Status: Clean
Subject: [tor-talk] Skip nat for private traffic with anonymizing middlebox
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

I run an internal network where I use two virtual machines for hosting
hidden services. I have a gateway and a web server, and the gateway is a
transparent proxy. The gateway is a Linux system using iptables based on
the directions on the Tor wiki for an anonymizing middlebox:
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#AnonymizingMiddlebox

These directions have one problem. Traffic from the web server can't
access the gateways services, such as SSH. I am not familiar enough with
iptables to be completely sure how to bypass these rules for requests to
the private IP of the gateway.

The rules:
# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 5642 packets, 323K bytes)
 pkts bytes target     prot opt in     out     source
destination
 6937  483K REDIRECT   udp  --  eth1   *       0.0.0.0/0
0.0.0.0/0            udp dpt:53 redir ports 53
  827 49620 REDIRECT   tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0            tcp flags:0x17/0x02 redir ports 9040

Chain INPUT (policy ACCEPT 11502 packets, 728K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 43839 packets, 2624K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 45541 packets, 2692K bytes)
 pkts bytes target     prot opt in     out     source
destination

Help would be appreciated so it doesn't redirect traffic going to the
gateway.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

