Dies ist eine alte Version des Dokuments!
Say for example you have a website that you feel comfortable having online via a public domain name, but you do not feel comfortable having it hosted on the location of its clearnet IP because $reason. Or you want to store all your e-mail in an undisclosed location. This enables the transferring machine to know as little as possible about the actual hosting machine (because it's really a
.onion) while using very little resources on the „proxy“ machine and even less time to set it up.
The easiest way to expose one hidden service only needs two lines of
TransPort 184.108.40.206:80 MapAddress 220.127.116.11 duskgytldkxiuqc6.onion
You can easily add more services on top by redirecting ports:
$ iptables -t nat -A PREROUTING -p tcp -d 18.104.22.168 --dport 25 -j REDIRECT --to-ports 80
And if you want to make sure your ISP won't use the TransPort in the wrong way, you can add the following, just in case:
$ iptables -A INPUT -i eth0 -p tcp ! -d 22.214.171.124 -j REJECT
$ curl -I http://126.96.36.199/ HTTP/1.1 200 OK Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1 Date: Fri, 10 May 2013 15:09:45 GMT Last-Modified: Tue, 11 Dec 2007 20:45:42 GMT Accept-Ranges: bytes Connection: close Content-Length: 389 $ usewithtor curl -I http://duskgytldkxiuqc6.onion/ [... warning messages ...] HTTP/1.1 200 OK Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1 Date: Fri, 10 May 2013 15:09:45 GMT Last-Modified: Tue, 11 Dec 2007 20:45:42 GMT Accept-Ranges: bytes Connection: close Content-Length: 389
Port 25 is also accepted for a connection, since we put a redirect in place but since TransPort cannot connect to ports the hidden service doesn't listen on, it will later close the connection:
$ telnet 188.8.131.52 25 Trying 184.108.40.206... Connected to 220.127.116.11. Escape character is '^]'. Connection closed by foreign host.
Otherwise a connection would be refused:
$ telnet 18.104.22.168 299 Trying 22.214.171.124... telnet: Unable to connect to remote host: Connection refused
This proof of concept is currently implemented on http://poum.niij.org/
Depending on how you look at it, the machine does not really need to be anonymous to the rendezvous point, therefore compiling tor with
tor2webmode enabled would speed up the connection process.
Exposing SMTP shouldn't be a problem since it is a very fault tolerant protocol. However, sending is a problem: we do not have an MTA on the machine that is exposing port 25/489/587. We need to tunnel from the hidden service into the box that is acting as our public face. http://stackoverflow.com/questions/392034/ssh-tunnel-for-sendmail
To Abel Luck for inspiration, and ra_ for the session resulting in the configuration on top