Publicly addressable applications operated out of a hidden service
Say for example you have a website that you feel comfortable having online via a public domain name, but you do not feel comfortable having it hosted on the location of its clearnet IP because $reason (for example you are The Pirate Bay). Or you want to store all your e-mail in an undisclosed location. This enables the transferring machine to know as little as possible about the actual hosting machine (because it's really a
.onion) while using very little resources on the „proxy“ machine and even less time to set it up.
tl;dr: poor persons tor2web for TCP.
The easiest way to expose one hidden service only needs two lines of
TransPort 126.96.36.199:80 MapAddress 188.8.131.52 duskgytldkxiuqc6.onion
You can easily add more services on top by redirecting ports:
$ iptables -t nat -A PREROUTING -p tcp -d 184.108.40.206 --dport 25 -j REDIRECT --to-ports 80
And if you want to make sure your ISP won't use the TransPort in the wrong way, you can add the following, just in case:
$ iptables -A INPUT -i eth0 -p tcp ! -d 220.127.116.11 -j REJECT
$ curl -I http://18.104.22.168/ HTTP/1.1 200 OK Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1 Date: Fri, 10 May 2013 15:09:45 GMT Last-Modified: Tue, 11 Dec 2007 20:45:42 GMT Accept-Ranges: bytes Connection: close Content-Length: 389 $ usewithtor curl -I http://duskgytldkxiuqc6.onion/ [... warning messages ...] HTTP/1.1 200 OK Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1 Date: Fri, 10 May 2013 15:09:45 GMT Last-Modified: Tue, 11 Dec 2007 20:45:42 GMT Accept-Ranges: bytes Connection: close Content-Length: 389
Port 25 is also accepted for a connection, since we put a redirect in place but since TransPort cannot connect to ports the hidden service doesn't listen on, it will later close the connection:
$ telnet 22.214.171.124 25 Trying 126.96.36.199... Connected to 188.8.131.52. Escape character is '^]'. Connection closed by foreign host.
Otherwise a connection would be refused:
$ telnet 184.108.40.206 299 Trying 220.127.116.11... telnet: Unable to connect to remote host: Connection refused
This proof of concept is currently implemented on http://poum.niij.org/
Depending on how you look at it, the machine does not really need to be anonymous to the rendezvous point, therefore compiling tor with
tor2webmode enabled would speed up the connection process.
Exposing SMTP shouldn't be a problem since it is a very fault tolerant protocol. However, sending is a problem: we do not have an MTA on the machine that is exposing port 25/489/587. We need to tunnel from the hidden service into the box that is acting as our public face. http://stackoverflow.com/questions/392034/ssh-tunnel-for-sendmail
To Abel Luck for inspiration, and ra_ for the session resulting in the configuration on top