Dies ist eine alte Version des Dokuments!
Inhaltsverzeichnis
Operating publically addressable applications operated out of a hidden service
The easiest way to expose one hidden service only needs two lines of `torrc`:
TransPort 46.246.28.219:80 MapAddress 46.246.28.219 duskgytldkxiuqc6.onion
You can easily add more services on top by redirecting ports:
$ iptables -t nat -A PREROUTING -p tcp -d 46.246.28.219 --dport 25 -j REDIRECT --to-ports 80
And if you want to make sure your ISP won't use the TransPort in the wrong way, you can add the following, just in case:
$ iptables -A INPUT -i eth0 -p tcp ! -d 46.246.28.219 -j REJECT
Result:
$ curl -I http://46.246.28.219/ HTTP/1.1 200 OK Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1 Date: Fri, 10 May 2013 15:09:45 GMT Last-Modified: Tue, 11 Dec 2007 20:45:42 GMT Accept-Ranges: bytes Connection: close Content-Length: 389 $ usewithtor curl -I http://duskgytldkxiuqc6.onion/ [... warning messages ...] HTTP/1.1 200 OK Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1 Date: Fri, 10 May 2013 15:09:45 GMT Last-Modified: Tue, 11 Dec 2007 20:45:42 GMT Accept-Ranges: bytes Connection: close Content-Length: 389
Port 25 is also accepted for a connection, since we put a redirect in place but since TransPort cannot connect to ports the hidden service doesn't listen on, it will later close the connection:
mzeltner@eaon ~ % telnet 46.246.28.219 25 Trying 46.246.28.219... Connected to 46.246.28.219. Escape character is '^]'. Connection closed by foreign host.
Otherwise a connection would be refused:
mzeltner@eaon ~ % telnet 46.246.28.219 299 Trying 46.246.28.219... telnet: Unable to connect to remote host: Connection refused
This proof of concept is currently implemented on http://poum.niij.org/
Anonymity
Depending on how you look at it, the machine does not really need to be anonymous to the rendezvous point, therefore compiling tor with `–enable-tor2webmode` would speed up the connection process.
SMTP
Exposing SMTP shouldn't be a problem since it is a very fault tolerant protocol. However, sending is a problem: we do not have an MTA on the machine that is exposing port 25/489/587. We need to tunnel from the hidden service into the box that is acting as our public face. http://stackoverflow.com/questions/392034/ssh-tunnel-for-sendmail
Thanks
To Abel Luck for inspiration, and ra_ for the session resulting in the configuration on top