Inhaltsverzeichnis

Publicly addressable applications operated out of a hidden service

Say for example you have a website that you feel comfortable having online via a public domain name, but you do not feel comfortable having it hosted on the location of its clearnet IP because $reason (for example you are The Pirate Bay). Or you want to store all your e-mail in an undisclosed location. This enables the transferring machine to know as little as possible about the actual hosting machine (because it's really a .onion) while using very little resources on the „proxy“ machine and even less time to set it up.

tl;dr: poor persons tor2web for TCP.

The easiest way to expose one hidden service only needs two lines of torrc:

  TransPort 46.246.28.219:80
  MapAddress 46.246.28.219 duskgytldkxiuqc6.onion

You can easily add more services on top by redirecting ports:

  $ iptables -t nat -A PREROUTING -p tcp -d 46.246.28.219 --dport 25 -j REDIRECT --to-ports 80

And if you want to make sure your ISP won't use the TransPort in the wrong way, you can add the following, just in case:

  $ iptables -A INPUT -i eth0 -p tcp ! -d 46.246.28.219 -j REJECT

Result:

  $ curl -I http://46.246.28.219/   
  HTTP/1.1 200 OK
  Server: thttpd/2.25b 29dec2003
  Content-Type: text/html; charset=iso-8859-1
  Date: Fri, 10 May 2013 15:09:45 GMT
  Last-Modified: Tue, 11 Dec 2007 20:45:42 GMT
  Accept-Ranges: bytes
  Connection: close
  Content-Length: 389
  $ usewithtor curl -I http://duskgytldkxiuqc6.onion/
  [... warning messages ...]
  HTTP/1.1 200 OK
  Server: thttpd/2.25b 29dec2003
  Content-Type: text/html; charset=iso-8859-1
  Date: Fri, 10 May 2013 15:09:45 GMT
  Last-Modified: Tue, 11 Dec 2007 20:45:42 GMT
  Accept-Ranges: bytes
  Connection: close
  Content-Length: 389

Port 25 is also accepted for a connection, since we put a redirect in place but since TransPort cannot connect to ports the hidden service doesn't listen on, it will later close the connection:

  $ telnet 46.246.28.219 25
  Trying 46.246.28.219...
  Connected to 46.246.28.219.
  Escape character is '^]'.
  Connection closed by foreign host.

Otherwise a connection would be refused:

  $ telnet 46.246.28.219 299
  Trying 46.246.28.219...
  telnet: Unable to connect to remote host: Connection refused

This proof of concept is currently implemented on http://poum.niij.org/

Anonymity

Depending on how you look at it, the machine does not really need to be anonymous to the rendezvous point, therefore compiling tor with tor2webmode enabled would speed up the connection process.

SMTP

Exposing SMTP shouldn't be a problem since it is a very fault tolerant protocol. However, sending is a problem: we do not have an MTA on the machine that is exposing port 25/489/587. We need to tunnel from the hidden service into the box that is acting as our public face. http://stackoverflow.com/questions/392034/ssh-tunnel-for-sendmail

Thanks

To Abel Luck for inspiration, and ra_ for the session resulting in the configuration on top