├── README.md
├── install.sh
├── meta
    └── screens
    │   ├── ip_changed.png
    │   └── rule_violation.png
├── toroxy
├── toroxy.service
└── uninstall.sh


/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ```
 3 |  _____                       
 4 | |_   _|__  _ __ _____  ___   _ 
 5 |   | |/ _ \| '__/ _ \ \/ / | | |
 6 |   | | (_) | | | (_) >  <| |_| |
 7 |   |_|\___/|_|  \___/_/\_\\__, |
 8 |                          |___/ 
 9 | ```
10 | 
11 | Tor-based TCP-proxy for linux.   
12 | Traffic won`t leave the system without Tor network.
13 | 
14 | ## How it works?
15 | 
16 | Runs as systemd service, watches traffic rules violations and IP cnanges.  
17 | Immediatelly notifies via UI if any changes detected.
18 | 
19 | All TCP traffic redirects to Tor. UDP traffic just blocks. 
20 | 
21 | ![Ip Changed](meta/screens/ip_changed.png?raw=true "Ip Changed")
22 | ![Rules Violation](meta/screens/rule_violation.png?raw=true "Rules Violation")
23 | 
24 | UI tested on:
25 | 
26 |  - Ubuntu 12+
27 |  - Ubuntu Parallels
28 |  - Debian 7+
29 | 
30 | Installation workflow:  
31 | 1. Install dependencies  
32 | 2. Run Tor service  
33 | 3. Run Toroxy as watcher service which starts on any system boot  
34 | 
35 | ## Dependencies
36 | 
37 |  - systemd
38 |  - iptables
39 |  - iptables-persistent
40 |  - python3
41 |  - pip3
42 |  - tor
43 | 
44 | ## How to install?
45 | 
46 | 1. `git clone https://github.com/Postuf/Toroxy.git`
47 | 2. `cd Toroxy`
48 | 3. `sudo ./install.sh`
49 | 
50 | ## How to check?
51 | 
52 | `curl ident.me`
53 | 
54 | ## How to uninstall?
55 | 
56 | Run `sudo ./uninstall.sh` in Toroxy root
57 | 
58 | ## How to use?
59 | 
60 | After installation new systemd service **toroxy** appear in local system.  
61 | It will be enabled by default. Here is how to manage it:
62 | 
63 | - Stop toroxy (disable proxy): `toroxy stop` OR `service toroxy stop`
64 | - Start toroxy (enable proxy): `toroxy start` OR `service toroxy start`
65 | - Change identity (switch proxy): `toroxy switch` OR `service toroxy reload` 
66 | 


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | export DEBIAN_FRONTEND=noninteractive
 4 | 
 5 | if systemctl --all | grep -Fq 'toroxy'; then   
 6 | 	echo "Toroxy detected. Stopping..."
 7 | 	systemctl stop toroxy  
 8 | fi
 9 | 
10 | apt-get update
11 | apt-get install -yq python-pip
12 | apt-get install -yq iptables-persistent
13 | apt-get install -yq tor
14 | 
15 | pip install stem
16 | 
17 | ./toroxy install


--------------------------------------------------------------------------------
/meta/screens/ip_changed.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Postuf/Toroxy/c5fea47f95f92cb1b9f1e98c22ea1f56e92655f2/meta/screens/ip_changed.png


--------------------------------------------------------------------------------
/meta/screens/rule_violation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Postuf/Toroxy/c5fea47f95f92cb1b9f1e98c22ea1f56e92655f2/meta/screens/rule_violation.png


--------------------------------------------------------------------------------
/toroxy:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | import os
  4 | import sys
  5 | import commands
  6 | import time
  7 | import urllib2
  8 | import signal
  9 | from commands import getoutput
 10 | from stem import Signal
 11 | from stem.control import Controller
 12 | 
 13 | class Strings:
 14 | 
 15 | 	TORRC_CONFIG = """
 16 | 		VirtualAddrNetwork 10.0.0.0/10
 17 | 		AutomapHostsOnResolve 1
 18 | 		TransPort 9040
 19 | 		DNSPort 53
 20 | 		ControlPort 9051
 21 | 		"""
 22 | 	IPTABLES_STOP_RULES = """
 23 | 		iptables -P INPUT ACCEPT
 24 | 		iptables -P FORWARD ACCEPT
 25 | 		iptables -P OUTPUT ACCEPT
 26 | 		iptables -t nat -F
 27 | 		iptables -t mangle -F
 28 | 		iptables -F
 29 | 		iptables -X
 30 | 		ip6tables -F
 31 | 		"""
 32 | 	IPTABLES_START_RULES = """
 33 | 		NON_TOR="192.168.1.0/24 192.168.0.0/24"
 34 | 		TOR_UID=%s
 35 | 		TRANS_PORT="9040"
 36 | 
 37 | 		iptables -F
 38 | 		iptables -t nat -F
 39 | 
 40 | 		iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
 41 | 		iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
 42 | 		for NET in $NON_TOR 127.0.0.0/9 127.128.0.0/10; do
 43 | 		 iptables -t nat -A OUTPUT -d $NET -j RETURN
 44 | 		done
 45 | 		iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
 46 | 
 47 | 		iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 48 | 		for NET in $NON_TOR 127.0.0.0/8; do
 49 | 		 iptables -A OUTPUT -d $NET -j ACCEPT
 50 | 		done
 51 | 		iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
 52 | 
 53 | 		iptables -A OUTPUT -j REJECT
 54 | 		ip6tables -A OUTPUT -j REJECT
 55 | 		"""
 56 | 	DUMP_TOROXY_IPTTABLES_RULES_CMD = """
 57 | 		iptables-save > /etc/iptables/rules.v4
 58 | 		ip6tables-save > /etc/iptables/rules.v6
 59 | 		netfilter-persistent start && netfilter-persistent save
 60 | 	"""
 61 | 	TOROXY_SETUP_SERVICES_CMD = """
 62 | 		cp ./toroxy.service /etc/systemd/system/toroxy.service
 63 | 		chmod 644 /etc/systemd/system/toroxy.service
 64 | 		systemctl daemon-reload
 65 | 
 66 | 		systemctl stop toroxy
 67 | 		systemctl start toroxy
 68 | 		systemctl enable toroxy
 69 | 
 70 | 		systemctl stop tor
 71 | 		systemctl start tor
 72 | 		systemctl enable tor
 73 | 
 74 | 		systemctl stop netfilter-persistent 
 75 | 		systemctl start netfilter-persistent 
 76 | 		systemctl enable netfilter-persistent 
 77 | 	"""
 78 | 	TOROXY_NOTIFICATION_CMD = """
 79 | 
 80 | 		# root UI
 81 | 		eval "export $(egrep -z DBUS_SESSION_BUS_ADDRESS /proc/$(pgrep -u $LOGNAME gnome-session)/environ)"
 82 | 
 83 | 		export DISPLAY=:0
 84 | 		for USR in `ls /home && echo root`
 85 | 		do
 86 | 			# ubuntu gnome + root UI
 87 | 			export XAUTHORITY=/home/$USR/.Xauthority
 88 | 			notify-send -u {0} '{1}' '{2}'
 89 | 
 90 | 			# ubuntu parallels
 91 | 			for UID in `ls /run/user/`
 92 | 			do
 93 | 				su $USR -c "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$UID/bus notify-send -u {0} '{1}' '{2}'"
 94 | 			done
 95 | 		done
 96 | 	"""
 97 | 	RULES_CHECKSUM_CMD = "{ iptables-save && ip6tables-save; } | sed s/\-\-uid\-owner\\\\s[0-9]\\\\+\\\\s//g | grep -viE '^#' | grep -viE '^\:' | sort | uniq | sha256sum | cut -d' ' -f 1"
 98 | 	IP_OBTAIN_CMD = 'wget -qO- https://check.torproject.org | grep -Po "(?<=strong>)[\d\.]+(?=</strong)"'
 99 | 	RULES_CHECKSUM_CORRECT_HASH = "dd152ac82159c1d0a04e4c95034f32f1ec12d49408faae4b9182b576954d018f"
100 | 	TOR_DNS = "nameserver 127.0.0.1"
101 | 	TOR_TORRC = "/etc/tor/torrc"
102 | 	RESOLV_FILE = "/etc/resolv.conf"
103 | 
104 | 
105 | class Toroxy:
106 | 
107 | 	lastSnapshotFileName = None
108 | 
109 | 	def ip(self):
110 | 		try:
111 | 			return commands.getstatusoutput(Strings.IP_OBTAIN_CMD)[1]
112 | 		except :
113 | 			return '';
114 | 
115 | 	def getStartRules(self):
116 | 		return Strings.IPTABLES_START_RULES%(getoutput("id -ur debian-tor"))
117 | 
118 | 	def rulesOk(self):
119 | 
120 | 		checkSum = getoutput(Strings.RULES_CHECKSUM_CMD).strip()
121 | 		alright = checkSum == Strings.RULES_CHECKSUM_CORRECT_HASH
122 | 
123 | 		if not alright:
124 | 			rules = getoutput('iptables-save && ip6tables-save')
125 | 			self.lastSnapshotFileName = "/tmp/broken-rules-%s.log" % time.strftime("%d-%m-%Y_%I-%M-%S")
126 | 			open(self.lastSnapshotFileName, "w").write(rules)
127 | 			return False
128 | 		else:
129 | 			return True
130 | 
131 | 	def changeResolveConf(self):
132 | 		os.system('sudo cp -p %s %s.toroxy.bak' % (Strings.RESOLV_FILE, Strings.RESOLV_FILE))
133 | 		if not Strings.TOR_DNS in open(Strings.RESOLV_FILE).read():
134 | 			with open(Strings.RESOLV_FILE, "w") as resolvConf:
135 | 				resolvConf.write(Strings.TOR_DNS)
136 | 
137 | 	def unchangeResolveConf(self):
138 | 		os.system('sudo mv %s.toroxy.bak %s' % (Strings.RESOLV_FILE, Strings.RESOLV_FILE))
139 | 		os.system("service network-manager restart")
140 | 
141 | 	def changeTorrc(self):
142 | 		os.system('sudo cp -p %s %s.toroxy.bak' % (Strings.TOR_TORRC, Strings.TOR_TORRC))
143 | 		if not Strings.TORRC_CONFIG in open(Strings.TOR_TORRC).read():
144 | 			with open(Strings.TOR_TORRC, "a") as torrc:
145 | 				torrc.write(Strings.TORRC_CONFIG)
146 | 
147 | 	def unchangeTorrc(self):
148 | 		os.system('sudo mv %s.toroxy.bak %s' % (Strings.TOR_TORRC, Strings.TOR_TORRC))
149 | 
150 | 	def changeFirewall(self):
151 | 		iptables_rules = """
152 | 			%s
153 | 			%s
154 | 		""" % (Strings.IPTABLES_STOP_RULES, self.getStartRules())
155 | 		os.system(iptables_rules)
156 | 
157 | 	def unchangeFirewall(self):
158 | 		os.system(Strings.IPTABLES_STOP_RULES)
159 | 
160 | 	def restart(self):
161 | 		self.changeTorrc()
162 | 		self.changeResolveConf()
163 | 		os.system("service tor start")
164 | 		self.changeFirewall()
165 | 
166 | 	def stop(self):
167 | 		self.unchangeFirewall()
168 | 		self.unchangeResolveConf()
169 | 		self.unchangeTorrc()
170 | 
171 | 	def switch(self):
172 | 		time.sleep(7)
173 | 		with Controller.from_port(port = 9051) as controller:
174 | 	  		controller.authenticate()
175 | 	  		controller.signal(Signal.NEWNYM)
176 | 
177 | 	def install(self):
178 | 		os.system("cp '%s' /usr/bin/toroxy" % (sys.argv[0]))
179 | 		self.restart()
180 | 		os.system(Strings.DUMP_TOROXY_IPTTABLES_RULES_CMD)
181 | 		self.stop()
182 | 		os.system(Strings.TOROXY_SETUP_SERVICES_CMD)
183 | 
184 | 	def notify(self, title, text='Toroxy', level='critical'):
185 | 		os.system(Strings.TOROXY_NOTIFICATION_CMD.format(level, title, text))
186 | 
187 | 	def service(self):
188 | 
189 | 		ipPrev = ''
190 | 		self.restart()
191 | 
192 | 		while True:
193 | 
194 | 			if not self.rulesOk():
195 | 				self.restart()
196 | 				msg = 'IpTables integrity violation detected!\nSnapshot in %s.\nFixed.' % self.lastSnapshotFileName
197 | 				self.notify('Toroxy', msg, 'critical')
198 | 
199 | 			try:
200 | 				ipCurr = self.ip().strip()
201 | 				if not ipCurr:
202 | 					raise Exception()
203 | 				if not ipCurr == ipPrev:
204 | 					ipPrev = ipCurr
205 | 					self.notify('Toroxy', 'Ip changed: '+ipCurr, 'low')
206 | 			except:
207 | 				self.switch()
208 | 
209 | 			time.sleep(1)
210 | 
211 | 
212 | class Signals:
213 | 
214 | 	def shutdown(self):
215 | 		sys.exit()
216 | 
217 | 	def sigint_handler(self, signum, frame):
218 | 	    shutdown()
219 | 
220 | 	def setup(self):
221 | 		signal.signal(signal.SIGINT, self.sigint_handler)
222 | 
223 | 
224 | ############################################################################
225 | 
226 | 
227 | if __name__ == "__main__":
228 | 
229 | 	Signals().setup()
230 | 
231 | 	if len(sys.argv) > 1:
232 | 		if sys.argv[1] == "stop":
233 | 			 Toroxy().stop()
234 | 		elif sys.argv[1] == "switch":
235 | 			Toroxy().switch()
236 | 		elif sys.argv[1] == "service":
237 | 			Toroxy().service()
238 | 		elif sys.argv[1] == "install":
239 | 			Toroxy().install()
240 | 	else:
241 | 		print "Use: toroxy stop|switch|service|install"
242 | 


--------------------------------------------------------------------------------
/toroxy.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Toroxy
 3 | After=network.target
 4 | StartLimitIntervalSec=0
 5 | 
 6 | [Service]
 7 | Type=simple
 8 | Restart=always
 9 | RestartSec=1
10 | User=root
11 | ExecStart=/usr/bin/toroxy service
12 | ExecStop=/usr/bin/toroxy stop
13 | ExecReload=/usr/bin/toroxy switch
14 | 
15 | [Install]
16 | WantedBy=multi-user.target
17 | 
18 | 


--------------------------------------------------------------------------------
/uninstall.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | export DEBIAN_FRONTEND=noninteractive
 4 | 
 5 | if systemctl --all | grep -Fq 'toroxy'; then   
 6 | 	echo "Toroxy detected. Stopping..."
 7 | 	systemctl stop toroxy  
 8 | fi
 9 | 
10 | rm /etc/systemd/system/toroxy.service
11 | rm /usr/bin/toroxy
12 | 
13 | echo "Toroxy uninstalled"


--------------------------------------------------------------------------------