====== Publicly addressable applications operated out of a hidden service ====== Say for example you have a website that you feel comfortable having online via a public domain name, but you do not feel comfortable having it hosted on the location of its clearnet IP because $reason (for example you are The Pirate Bay). Or you want to store all your e-mail in an undisclosed location. This enables the transferring machine to know as little as possible about the actual hosting machine (because it's really a ''.onion'') while using very little resources on the "proxy" machine and even less time to set it up. **tl;dr: poor persons tor2web for TCP.** The easiest way to expose one hidden service only needs two lines of ''torrc'': TransPort 46.246.28.219:80 MapAddress 46.246.28.219 duskgytldkxiuqc6.onion You can easily add more services on top by redirecting ports: $ iptables -t nat -A PREROUTING -p tcp -d 46.246.28.219 --dport 25 -j REDIRECT --to-ports 80 And if you want to make sure your ISP won't use the TransPort in the wrong way, you can add the following, just in case: $ iptables -A INPUT -i eth0 -p tcp ! -d 46.246.28.219 -j REJECT Result: $ curl -I http://46.246.28.219/ HTTP/1.1 200 OK Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1 Date: Fri, 10 May 2013 15:09:45 GMT Last-Modified: Tue, 11 Dec 2007 20:45:42 GMT Accept-Ranges: bytes Connection: close Content-Length: 389 $ usewithtor curl -I http://duskgytldkxiuqc6.onion/ [... warning messages ...] HTTP/1.1 200 OK Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1 Date: Fri, 10 May 2013 15:09:45 GMT Last-Modified: Tue, 11 Dec 2007 20:45:42 GMT Accept-Ranges: bytes Connection: close Content-Length: 389 Port 25 is also accepted for a connection, since we put a redirect in place but since TransPort cannot connect to ports the hidden service doesn't listen on, it will later close the connection: $ telnet 46.246.28.219 25 Trying 46.246.28.219... Connected to 46.246.28.219. Escape character is '^]'. Connection closed by foreign host. Otherwise a connection would be refused: $ telnet 46.246.28.219 299 Trying 46.246.28.219... telnet: Unable to connect to remote host: Connection refused This proof of concept is currently implemented on http://poum.niij.org/ ===== Anonymity ===== Depending on how you look at it, the machine does not really need to be anonymous to the rendezvous point, therefore compiling tor with ''tor2webmode'' enabled would speed up the connection process. ===== SMTP ===== Exposing SMTP shouldn't be a problem since it is a very fault tolerant protocol. However, sending is a problem: we do not have an MTA on the machine that is exposing port 25/489/587. We need to tunnel from the hidden service into the box that is acting as our public face. http://stackoverflow.com/questions/392034/ssh-tunnel-for-sendmail ===== Thanks ===== To Abel Luck for inspiration, and ra_ for the session resulting in the configuration on top