CyberMind-FR
e364595b16
AI Insights Dashboard: - Rewrite CSS with KISS cyberpunk theme (dark bg, neon accents, glowing effects) - Fix CVE feed RPCD for OpenWrt/BusyBox compatibility (date format, JSON building) - Add wget fallback for CVE fetch Tor Shield: - Add excluded_domains support for bypassing Tor routing - Resolve domains via nslookup and add to iptables RETURN rules - Default exclusions: openwrt.org, downloads.openwrt.org, services.nvd.nist.gov Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
429 lines
12 KiB
Bash
Executable File
429 lines
12 KiB
Bash
Executable File
#!/bin/sh /etc/rc.common
|
|
# SecuBox Tor Shield - Tor anonymization service
|
|
# Copyright (C) 2025 CyberMind.fr
|
|
|
|
START=95
|
|
STOP=10
|
|
USE_PROCD=1
|
|
|
|
PROG=/usr/sbin/torctl
|
|
CONFIG=tor-shield
|
|
TORRC=/var/run/tor/torrc
|
|
TOR_DATA=/var/lib/tor
|
|
TOR_RUN=/var/run/tor
|
|
|
|
. /lib/functions.sh
|
|
|
|
generate_torrc() {
|
|
local enabled mode dns_over_tor socks_port socks_addr trans_port dns_port
|
|
local bridges_enabled bridge_type exit_nodes exclude_exit_nodes strict_nodes
|
|
|
|
config_load "$CONFIG"
|
|
config_get enabled main enabled '0'
|
|
config_get mode main mode 'transparent'
|
|
config_get dns_over_tor main dns_over_tor '1'
|
|
|
|
config_get socks_port socks port '9050'
|
|
config_get socks_addr socks address '127.0.0.1'
|
|
|
|
config_get trans_port trans port '9040'
|
|
config_get dns_port trans dns_port '9053'
|
|
|
|
config_get bridges_enabled bridges enabled '0'
|
|
config_get bridge_type bridges type 'obfs4'
|
|
|
|
config_get exit_nodes security exit_nodes ''
|
|
config_get exclude_exit_nodes security exclude_exit_nodes ''
|
|
config_get strict_nodes security strict_nodes '0'
|
|
|
|
mkdir -p "$TOR_RUN" "$TOR_DATA"
|
|
|
|
# Clean up stale files that may have wrong ownership
|
|
rm -f "$TOR_RUN/tor.pid" "$TOR_RUN/control" "$TOR_RUN/control_auth_cookie" 2>/dev/null
|
|
rm -f "$TOR_DATA/lock" 2>/dev/null
|
|
|
|
chown tor:tor "$TOR_RUN" "$TOR_DATA"
|
|
chmod 700 "$TOR_RUN" "$TOR_DATA"
|
|
|
|
cat > "$TORRC" << EOF
|
|
# SecuBox Tor Shield - Auto-generated config
|
|
# Do not edit - managed by tor-shield
|
|
|
|
User tor
|
|
DataDirectory $TOR_DATA
|
|
Log notice syslog
|
|
ControlSocket $TOR_RUN/control
|
|
ControlSocketsGroupWritable 1
|
|
CookieAuthentication 1
|
|
CookieAuthFile $TOR_RUN/control_auth_cookie
|
|
CookieAuthFileGroupReadable 1
|
|
|
|
# SOCKS proxy
|
|
SocksPort $socks_addr:$socks_port
|
|
SocksPolicy accept 127.0.0.1
|
|
SocksPolicy accept 192.168.0.0/16
|
|
SocksPolicy accept 10.0.0.0/8
|
|
SocksPolicy reject *
|
|
EOF
|
|
|
|
# Transparent proxy mode
|
|
if [ "$mode" = "transparent" ]; then
|
|
cat >> "$TORRC" << EOF
|
|
|
|
# Transparent proxy
|
|
TransPort 0.0.0.0:$trans_port
|
|
EOF
|
|
fi
|
|
|
|
# DNS over Tor
|
|
if [ "$dns_over_tor" = "1" ]; then
|
|
cat >> "$TORRC" << EOF
|
|
|
|
# DNS over Tor
|
|
DNSPort 0.0.0.0:$dns_port
|
|
AutomapHostsOnResolve 1
|
|
AutomapHostsSuffixes .onion,.exit
|
|
VirtualAddrNetworkIPv4 10.192.0.0/10
|
|
EOF
|
|
fi
|
|
|
|
# Bridge configuration - only enable if bridges are configured
|
|
if [ "$bridges_enabled" = "1" ]; then
|
|
# Count bridge lines first
|
|
BRIDGE_COUNT=0
|
|
count_bridge() { BRIDGE_COUNT=$((BRIDGE_COUNT + 1)); }
|
|
config_list_foreach bridges bridge_lines count_bridge
|
|
|
|
# Only add UseBridges if there are actual bridges configured
|
|
if [ "$BRIDGE_COUNT" -gt 0 ]; then
|
|
cat >> "$TORRC" << EOF
|
|
|
|
# Bridge mode
|
|
UseBridges 1
|
|
EOF
|
|
# Add bridge lines from config
|
|
config_list_foreach bridges bridge_lines add_bridge_line
|
|
fi
|
|
fi
|
|
|
|
# Exit node restrictions
|
|
if [ -n "$exit_nodes" ]; then
|
|
echo "ExitNodes $exit_nodes" >> "$TORRC"
|
|
fi
|
|
if [ -n "$exclude_exit_nodes" ]; then
|
|
echo "ExcludeExitNodes $exclude_exit_nodes" >> "$TORRC"
|
|
fi
|
|
if [ "$strict_nodes" = "1" ]; then
|
|
echo "StrictNodes 1" >> "$TORRC"
|
|
fi
|
|
|
|
# Hidden services
|
|
config_foreach add_hidden_service hidden_service
|
|
|
|
# GeoIP files
|
|
if [ -f /usr/share/tor/geoip ]; then
|
|
echo "GeoIPFile /usr/share/tor/geoip" >> "$TORRC"
|
|
fi
|
|
if [ -f /usr/share/tor/geoip6 ]; then
|
|
echo "GeoIPv6File /usr/share/tor/geoip6" >> "$TORRC"
|
|
fi
|
|
|
|
# Ensure torrc is readable by tor user
|
|
chown tor:tor "$TORRC"
|
|
}
|
|
|
|
add_bridge_line() {
|
|
echo "Bridge $1" >> "$TORRC"
|
|
}
|
|
|
|
add_hidden_service() {
|
|
local cfg="$1"
|
|
local enabled name local_port virtual_port
|
|
|
|
config_get enabled "$cfg" enabled '0'
|
|
[ "$enabled" = "1" ] || return
|
|
|
|
config_get name "$cfg" name "hidden_$cfg"
|
|
config_get local_port "$cfg" local_port '80'
|
|
config_get virtual_port "$cfg" virtual_port '80'
|
|
|
|
local hs_dir="$TOR_DATA/hidden_service_$name"
|
|
mkdir -p "$hs_dir"
|
|
chown tor:tor "$hs_dir"
|
|
chmod 700 "$hs_dir"
|
|
|
|
cat >> "$TORRC" << EOF
|
|
|
|
# Hidden Service: $name
|
|
HiddenServiceDir $hs_dir
|
|
HiddenServicePort $virtual_port 127.0.0.1:$local_port
|
|
EOF
|
|
}
|
|
|
|
setup_iptables() {
|
|
local mode trans_port dns_port dns_over_tor kill_switch wan_input_allow
|
|
|
|
config_load "$CONFIG"
|
|
config_get mode main mode 'transparent'
|
|
config_get kill_switch main kill_switch '1'
|
|
config_get dns_over_tor main dns_over_tor '1'
|
|
config_get wan_input_allow main wan_input_allow '0'
|
|
config_get trans_port trans port '9040'
|
|
config_get dns_port trans dns_port '9053'
|
|
|
|
# Get Tor user ID
|
|
local tor_uid=$(id -u tor 2>/dev/null || echo "tor")
|
|
|
|
# Remove from chains first (to allow chain deletion)
|
|
iptables -t nat -D OUTPUT -j TOR_SHIELD 2>/dev/null
|
|
iptables -t filter -D OUTPUT -j TOR_SHIELD 2>/dev/null
|
|
iptables -t nat -D PREROUTING -i br-lan -j TOR_SHIELD_LAN 2>/dev/null
|
|
|
|
# Clear existing Tor rules
|
|
for chain in TOR_SHIELD TOR_SHIELD_LAN; do
|
|
iptables -t nat -F $chain 2>/dev/null
|
|
iptables -t nat -X $chain 2>/dev/null
|
|
done
|
|
iptables -t filter -F TOR_SHIELD 2>/dev/null
|
|
iptables -t filter -X TOR_SHIELD 2>/dev/null
|
|
|
|
# Clean up nftables rules for server mode
|
|
cleanup_nftables_wan
|
|
|
|
[ "$mode" = "transparent" ] || return 0
|
|
|
|
# Create chains (ignore "already exists" errors)
|
|
iptables -t nat -N TOR_SHIELD 2>/dev/null || true
|
|
iptables -t filter -N TOR_SHIELD 2>/dev/null || true
|
|
|
|
# Exclude Tor traffic
|
|
iptables -t nat -A TOR_SHIELD -m owner --uid-owner $tor_uid -j RETURN
|
|
|
|
# Exclude local networks
|
|
config_list_foreach trans excluded_ips add_excluded_ip
|
|
|
|
# Exclude domains (resolve to IP and bypass Tor)
|
|
config_list_foreach trans excluded_domains add_excluded_domain
|
|
|
|
# Redirect DNS if enabled
|
|
if [ "$dns_over_tor" = "1" ]; then
|
|
iptables -t nat -A TOR_SHIELD -p udp --dport 53 -j REDIRECT --to-ports $dns_port
|
|
iptables -t nat -A TOR_SHIELD -p tcp --dport 53 -j REDIRECT --to-ports $dns_port
|
|
fi
|
|
|
|
# Redirect TCP to transparent proxy
|
|
iptables -t nat -A TOR_SHIELD -p tcp -j REDIRECT --to-ports $trans_port
|
|
|
|
# Add to OUTPUT chain
|
|
iptables -t nat -A OUTPUT -j TOR_SHIELD
|
|
|
|
# Kill switch - block non-Tor traffic
|
|
if [ "$kill_switch" = "1" ]; then
|
|
iptables -t filter -A TOR_SHIELD -m owner --uid-owner $tor_uid -j ACCEPT
|
|
iptables -t filter -A TOR_SHIELD -d 127.0.0.0/8 -j ACCEPT
|
|
config_list_foreach trans excluded_ips add_excluded_filter_ip
|
|
config_list_foreach trans excluded_domains add_excluded_domain_filter
|
|
# Allow response packets for inbound connections (HAProxy, etc)
|
|
iptables -t filter -A TOR_SHIELD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
|
iptables -t filter -A TOR_SHIELD -j REJECT
|
|
iptables -t filter -A OUTPUT -j TOR_SHIELD
|
|
fi
|
|
|
|
# Server mode: Allow WAN inbound traffic (for published services)
|
|
if [ "$wan_input_allow" = "1" ]; then
|
|
setup_nftables_wan_allow
|
|
fi
|
|
|
|
# LAN client Tor routing via PREROUTING
|
|
setup_lan_proxy
|
|
}
|
|
|
|
# nftables helpers for server mode WAN access
|
|
cleanup_nftables_wan() {
|
|
# Remove any previous tor-shield nftables rules
|
|
if command -v nft >/dev/null 2>&1; then
|
|
nft delete chain inet fw4 tor_shield_wan_in 2>/dev/null || true
|
|
fi
|
|
}
|
|
|
|
setup_nftables_wan_allow() {
|
|
# Server mode: Ensure WAN inbound is allowed
|
|
# This creates nftables rules to allow inbound connections from WAN
|
|
# Works with OpenWrt firewall4 (nftables-based)
|
|
|
|
if ! command -v nft >/dev/null 2>&1; then
|
|
echo "Warning: nft command not found, WAN input rules may not apply"
|
|
return 1
|
|
fi
|
|
|
|
# Check if fw4 table exists (OpenWrt firewall4)
|
|
if ! nft list table inet fw4 >/dev/null 2>&1; then
|
|
echo "Note: fw4 table not found, using legacy firewall"
|
|
return 0
|
|
fi
|
|
|
|
# Create chain for Tor Shield WAN input if not exists
|
|
nft add chain inet fw4 tor_shield_wan_in 2>/dev/null || true
|
|
|
|
# Allow all established/related (responses to outgoing)
|
|
nft add rule inet fw4 tor_shield_wan_in ct state established,related accept 2>/dev/null || true
|
|
|
|
# Allow new inbound on common service ports (HAProxy, HTTPS, HTTP)
|
|
# These are the ports typically used for published services
|
|
nft add rule inet fw4 tor_shield_wan_in tcp dport 80 accept 2>/dev/null || true
|
|
nft add rule inet fw4 tor_shield_wan_in tcp dport 443 accept 2>/dev/null || true
|
|
nft add rule inet fw4 tor_shield_wan_in tcp dport 8443 accept 2>/dev/null || true
|
|
|
|
# Hook into input_wan chain (before drop)
|
|
# First remove any existing jump to avoid duplicates
|
|
nft delete rule inet fw4 input_wan jump tor_shield_wan_in 2>/dev/null || true
|
|
# Add jump at the beginning of input_wan
|
|
nft insert rule inet fw4 input_wan jump tor_shield_wan_in 2>/dev/null || true
|
|
|
|
echo "Server mode: WAN inbound allowed on ports 80, 443, 8443"
|
|
}
|
|
|
|
add_excluded_ip() {
|
|
iptables -t nat -A TOR_SHIELD -d "$1" -j RETURN
|
|
}
|
|
|
|
add_excluded_filter_ip() {
|
|
iptables -t filter -A TOR_SHIELD -d "$1" -j ACCEPT
|
|
}
|
|
|
|
add_excluded_lan_ip() {
|
|
iptables -t nat -A TOR_SHIELD_LAN -d "$1" -j RETURN
|
|
}
|
|
|
|
# Resolve domain to IP and exclude from Tor routing
|
|
add_excluded_domain() {
|
|
local domain="$1"
|
|
[ -z "$domain" ] && return
|
|
|
|
# Resolve IPv4 addresses using nslookup (available on OpenWrt)
|
|
local ips=$(nslookup "$domain" 2>/dev/null | tail -n+3 | grep "Address" | awk '{print $2}' | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$')
|
|
|
|
if [ -n "$ips" ]; then
|
|
for ip in $ips; do
|
|
iptables -t nat -A TOR_SHIELD -d "$ip" -j RETURN
|
|
logger -t tor-shield "Excluded domain $domain -> $ip"
|
|
done
|
|
else
|
|
logger -t tor-shield "Warning: Could not resolve domain $domain"
|
|
fi
|
|
}
|
|
|
|
add_excluded_domain_filter() {
|
|
local domain="$1"
|
|
[ -z "$domain" ] && return
|
|
|
|
local ips=$(nslookup "$domain" 2>/dev/null | tail -n+3 | grep "Address" | awk '{print $2}' | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$')
|
|
|
|
for ip in $ips; do
|
|
iptables -t filter -A TOR_SHIELD -d "$ip" -j ACCEPT
|
|
done
|
|
}
|
|
|
|
setup_lan_proxy() {
|
|
local lan_proxy
|
|
config_get lan_proxy trans lan_proxy '0'
|
|
[ "$lan_proxy" = "1" ] || return 0
|
|
|
|
local trans_port dns_port dns_over_tor
|
|
config_get trans_port trans port '9040'
|
|
config_get dns_port trans dns_port '9053'
|
|
config_get dns_over_tor main dns_over_tor '1'
|
|
|
|
# Create PREROUTING chain
|
|
iptables -t nat -N TOR_SHIELD_LAN 2>/dev/null || true
|
|
|
|
# Exclude local destinations
|
|
config_list_foreach trans excluded_ips add_excluded_lan_ip
|
|
|
|
# Redirect DNS
|
|
if [ "$dns_over_tor" = "1" ]; then
|
|
iptables -t nat -A TOR_SHIELD_LAN -p udp --dport 53 -j REDIRECT --to-ports $dns_port
|
|
iptables -t nat -A TOR_SHIELD_LAN -p tcp --dport 53 -j REDIRECT --to-ports $dns_port
|
|
fi
|
|
|
|
# Redirect TCP to Tor
|
|
iptables -t nat -A TOR_SHIELD_LAN -p tcp -j REDIRECT --to-ports $trans_port
|
|
|
|
# Apply to LAN interface
|
|
iptables -t nat -A PREROUTING -i br-lan -j TOR_SHIELD_LAN
|
|
}
|
|
|
|
remove_iptables() {
|
|
# Remove from chains
|
|
iptables -t nat -D OUTPUT -j TOR_SHIELD 2>/dev/null
|
|
iptables -t filter -D OUTPUT -j TOR_SHIELD 2>/dev/null
|
|
iptables -t nat -D PREROUTING -i br-lan -j TOR_SHIELD_LAN 2>/dev/null
|
|
|
|
# Flush and remove all chains
|
|
for chain in TOR_SHIELD TOR_SHIELD_LAN; do
|
|
iptables -t nat -F $chain 2>/dev/null
|
|
iptables -t nat -X $chain 2>/dev/null
|
|
done
|
|
iptables -t filter -F TOR_SHIELD 2>/dev/null
|
|
iptables -t filter -X TOR_SHIELD 2>/dev/null
|
|
|
|
# Clean up nftables rules for server mode
|
|
cleanup_nftables_wan
|
|
}
|
|
|
|
start_service() {
|
|
local enabled
|
|
|
|
config_load "$CONFIG"
|
|
config_get enabled main enabled '0'
|
|
|
|
[ "$enabled" = "1" ] || {
|
|
echo "Tor Shield is disabled. Enable with: uci set tor-shield.main.enabled=1"
|
|
return 0
|
|
}
|
|
|
|
# Generate torrc
|
|
generate_torrc
|
|
|
|
# Setup iptables rules
|
|
setup_iptables
|
|
|
|
# Start Tor via procd
|
|
procd_open_instance tor
|
|
procd_set_param command /usr/sbin/tor -f "$TORRC"
|
|
procd_set_param respawn 3600 5 5
|
|
procd_set_param stdout 1
|
|
procd_set_param stderr 1
|
|
procd_set_param pidfile "$TOR_RUN/tor.pid"
|
|
procd_close_instance
|
|
}
|
|
|
|
stop_service() {
|
|
# Remove iptables rules
|
|
remove_iptables
|
|
|
|
# Kill tor process
|
|
if [ -f "$TOR_RUN/tor.pid" ]; then
|
|
kill $(cat "$TOR_RUN/tor.pid") 2>/dev/null
|
|
rm -f "$TOR_RUN/tor.pid"
|
|
fi
|
|
}
|
|
|
|
service_triggers() {
|
|
procd_add_reload_trigger "$CONFIG"
|
|
}
|
|
|
|
reload_service() {
|
|
stop
|
|
start
|
|
}
|
|
|
|
restart_service() {
|
|
stop
|
|
start
|
|
}
|
|
|
|
status() {
|
|
"$PROG" status
|
|
}
|