Additional settings for Tor relay.

Author: juhanurmi

README.md

@@ -4,3 +4,20 @@ Electronic Frontier Finland (Effi) - Tor Exit Node
 Electronic Frontier Finland (Effi) is a Finnish on-line civil rights organization founded in 2001. While not formally affiliated with the U.S.-based Electronic Frontier Foundation, the two organizations share many of their goals. Effi is a member of the Global Internet Liberty Campaign and a founding member of European Digital Rights (EDRi).
 
 [Exit-tyyppisen reitittimen jakelema ilmoitussivu / Tor Exit Node info page.](http://htmlpreview.github.io/?https://github.com/juhanurmi/exitnode/blob/master/tor-exit-notice.html)
+
+```sh
+sudo bash remove.sh
+sudo apt-get update && sudo apt-get upgrade
+sudo rpi-update
+sudo apt-get install haveged
+sudo apt-get install tor
+sudo cp torrc /etc/tor/torrc
+sudo cp tor-exit-notice.html /etc/tor/tor-exit-notice.html
+sudo cp sysctl.conf /etc/sysctl.conf
+sudo cp rules.v4 /etc/iptables/rules.v4
+sudo apt-get install iptables-persistent
+sudo modprobe ip_conntrack
+sudo service iptables-persistent restart
+sudo sysctl -p /etc/sysctl.conf
+sudo service tor restart
+```

remove.sh

@@ -0,0 +1,61 @@
+# BACKUP interfaces in case this script removes it
+sudo cp /etc/network/interfaces /etc/network/interfaces.bak
+
+# GUI-related packages
+pkgs="
+x11-common
+xserver-xorg-video-fbdev
+xserver-xorg xinit
+gstreamer1.0-x gstreamer1.0-omx gstreamer1.0-plugins-base
+gstreamer1.0-plugins-good gstreamer1.0-plugins-bad gstreamer1.0-alsa
+gstreamer1.0-libav
+epiphany-browser
+lxde lxtask menu-xdg gksu
+xserver-xorg-video-fbturbo
+xpdf gtk2-engines alsa-utils
+netsurf-gtk zenity
+desktop-base lxpolkit
+weston
+omxplayer
+raspberrypi-artwork
+lightdm gnome-themes-standard-data gnome-icon-theme
+qt50-snapshot qt50-quick-particle-examples
+"
+
+# Edu-related packages
+pkgs="$pkgs
+idle python3-pygame python-pygame python-tk
+idle3 python3-tk
+python3-rpi.gpio
+python-serial python3-serial
+python-picamera python3-picamera
+python3-pygame python-pygame python-tk
+python3-tk
+debian-reference-en dillo x2x
+scratch nuscratch
+timidity
+smartsim penguinspuzzle
+pistore
+sonic-pi
+python3-numpy
+python3-pifacecommon python3-pifacedigitalio python3-pifacedigital-scratch-handler python-pifacecommon python-pifacedigitalio
+oracle-java8-jdk
+minecraft-pi python-minecraftpi
+wolfram-engine
+"
+# Because of of https://github.com/RPi-Distro/raspberrypi-ui-mods/issues/2 (thanks @robertely)
+apt-get -y remove raspberrypi-ui-mods
+
+# Remove packages
+for i in $pkgs; do
+	echo apt-get -y remove --purge $i
+done
+
+# Remove automatically installed dependency packages
+echo apt-get -y autoremove
+
+# Remove all packages marked rc (thanks @symm)
+dpkg --list |grep "^rc" | cut -d " " -f 3 | xargs dpkg --purge 
+
+# Return interfaces if needed
+sudo cp /etc/network/interfaces.bak /etc/network/interfaces

rules.v4

@@ -0,0 +1,38 @@
+*raw
+-A PREROUTING -j NOTRACK
+-A OUTPUT -j NOTRACK
+COMMIT
+
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+##  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
+-A INPUT -i lo -j ACCEPT
+
+## allow incoming SSH, port 22
+-A INPUT -p tcp --dport 22 -j ACCEPT
+
+## DirPort, ORPort (optional: Webserver)
+-A INPUT -p tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp --dport 443 -j ACCEPT
+
+## Allow several ICMP types 
+## http://www.oregontechsupport.com/articles/icmp.txt
+-A INPUT -p icmp -m icmp --icmp-type host-unreachable -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type port-unreachable -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j DROP
+
+## to log denied packets uncomment this line
+#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
+
+## drop non-established TCP
+-A INPUT -p tcp --syn -j DROP
+
+## allows all udp in, but avoids conntrack
+
+COMMIT

sysctl.conf

@@ -0,0 +1,52 @@
+# used on high bandwidth nodes
+
+kernel.printk = 3 4 1 3
+vm.swappiness=1
+vm.min_free_kbytes = 8192
+
+# TCP settings
+
+# disabling forwarding first as this will
+# reset some other values back to default (!)
+net.ipv4.ip_forward = 0
+net.ipv4.tcp_syncookies = 1
+#net.ipv4.tcp_synack_retries = 2
+#net.ipv4.tcp_syn_retries = 2
+    
+net.ipv4.conf.default.forwarding = 0 
+net.ipv4.conf.default.proxy_arp = 0 
+net.ipv4.conf.default.send_redirects = 1
+net.ipv4.conf.all.rp_filter = 0
+net.ipv4.conf.all.send_redirects = 0
+
+kernel.sysrq = 1
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# optimizations
+net.core.rmem_max = 33554432
+net.core.wmem_max = 33554432
+net.ipv4.tcp_rmem = 4096 87380 33554432 
+net.ipv4.tcp_wmem = 4096 65536 33554432  
+net.core.netdev_max_backlog = 262144
+net.ipv4.tcp_no_metrics_save = 1
+net.ipv4.tcp_moderate_rcvbuf = 1
+net.ipv4.tcp_tw_recycle = 1
+net.ipv4.tcp_max_orphans = 262144
+net.ipv4.tcp_max_syn_backlog = 262144
+net.ipv4.tcp_fin_timeout = 4 
+vm.min_free_kbytes = 65536
+net.ipv4.netfilter.ip_conntrack_max = 196608
+net.netfilter.nf_conntrack_tcp_timeout_established = 7200
+net.netfilter.nf_conntrack_checksum = 0
+net.netfilter.nf_conntrack_max = 196608 
+net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 15
+net.nf_conntrack_max = 196608
+net.ipv4.tcp_keepalive_time = 60
+net.ipv4.tcp_keepalive_intvl = 10
+net.ipv4.tcp_keepalive_probes = 3
+net.ipv4.ip_local_port_range = 1025 65530
+net.core.somaxconn = 20480
+net.ipv4.tcp_max_tw_buckets = 2000000
+net.ipv4.tcp_timestamps = 0

torrc_example

@@ -1,42 +1,23 @@
 ## Required: what port to advertise for incoming Tor connections.
 ORPort 443
 
-# mirror directory information for others
+# mirror directory information for others    
 DirPort 80
 
 ## Required: A unique handle for this server. Choose one.
 Nickname Dignify01
 
-## Contact info to be published in the directory, so we can contact you
-## if your relay is misconfigured or something else goes wrong. Google
-## indexes this, so spammers might also collect it.
-ContactInfo juha.nurmi<att>ahmia.fi
-
-## The IP or fqdn for this server. Leave commented out and Tor will guess.
-## This may be required, if tor cannot guess your public IP.
-Address SET_IP_ADDRESS_HERE
+## Contact info to be published in the directory, so we can contact you 
+## if your relay is misconfigured or something else goes wrong. Google 
+## indexes this, so spammers might also collect it.                  
+ContactInfo juha.nurmi<<a>>ahmia.fi
 
 ## Uncomment to return an arbitrary blob of html on your DirPort.
 DirPortFrontPage /etc/tor/tor-exit-notice.html
 
-OutboundBindAddress SET_IP_ADDRESS_HERE
-
 RunAsDaemon 1
 AvoidDiskWrites 1
-#MaxMemInQueues 256 M
 
-## To limit your bandwidth usage, define this. Note that BandwidthRate
-## must be at least 20 KB.
-#BandwidthRate 30720 KB        # Throttle traffic to 10240KB/s 
-#BandwidthBurst  51200 KB      # But allow bursts up to 20480KB/s 
-
-ExitPolicy reject 0.0.0.0/8:*
-ExitPolicy reject 169.254.0.0/16:*
-ExitPolicy reject 127.0.0.0/8:*
-ExitPolicy reject 192.168.0.0/16:*
-ExitPolicy reject 10.0.0.0/8:*
-ExitPolicy reject 172.16.0.0/12:*
-ExitPolicy reject SET_IP_ADDRESS_HERE:*
 ExitPolicy accept *:20-23     # FTP, SSH, telnet
 ExitPolicy accept *:43        # WHOIS
 ExitPolicy accept *:53        # DNS
@@ -49,17 +30,24 @@ ExitPolicy accept *:220       # IMAP3
 ExitPolicy accept *:389       # LDAP
 ExitPolicy accept *:443       # HTTPS
 ExitPolicy accept *:464       # kpasswd
+ExitPolicy accept *:465       # URD for SSM (more often: an alternative SUBMISSION port, see 587)
 ExitPolicy accept *:531       # IRC/AIM
 ExitPolicy accept *:543-544   # Kerberos
 ExitPolicy accept *:554       # RTSP
 ExitPolicy accept *:563       # NNTP over SSL
+ExitPolicy accept *:587       # SUBMISSION (authenticated clients [MUA's like Thunderbird] send mail over STARTTLS SMTP here)
 ExitPolicy accept *:636       # LDAP over SSL
 ExitPolicy accept *:706       # SILC
 ExitPolicy accept *:749       # kerberos 
 ExitPolicy accept *:873       # rsync
 ExitPolicy accept *:902-904   # VMware
 ExitPolicy accept *:981       # Remote HTTPS management for firewall
-ExitPolicy accept *:989-995   # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL
+ExitPolicy accept *:989-990   # FTP over SSL
+ExitPolicy accept *:991       # Netnews Administration System
+ExitPolicy accept *:992       # TELNETS
+ExitPolicy accept *:993       # IMAP over SSL
+ExitPolicy accept *:994       # IRCS
+ExitPolicy accept *:995       # POP3 over SSL
 ExitPolicy accept *:1194      # OpenVPN
 ExitPolicy accept *:1220      # QT Server Admin
 ExitPolicy accept *:1293      # PKT-KRB-IPSec
@@ -91,8 +79,9 @@ ExitPolicy accept *:8000      # iRDMI
 ExitPolicy accept *:8008      # HTTP alternate
 ExitPolicy accept *:8074      # Gadu-Gadu
 ExitPolicy accept *:8080      # HTTP Proxies
+ExitPolicy accept *:8082      # HTTPS Electrum Bitcoin port
 ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP
-ExitPolicy accept *:8332-8333 # BitCoin
+ExitPolicy accept *:8332-8333 # Bitcoin
 ExitPolicy accept *:8443      # PCsync HTTPS
 ExitPolicy accept *:8888      # HTTP Proxies, NewsEDGE
 ExitPolicy accept *:9418      # git
@@ -101,5 +90,6 @@ ExitPolicy accept *:10000     # Network Data Management Protocol
 ExitPolicy accept *:11371     # OpenPGP hkp (http keyserver protocol)
 ExitPolicy accept *:19294     # Google Voice TCP
 ExitPolicy accept *:19638     # Ensim control panel
+ExitPolicy accept *:50002     # Electrum Bitcoin SSL
+ExitPolicy accept *:64738     # Mumble
 ExitPolicy reject *:*
-