4

Given one host (router) with the following netfilter rule in order to redirect incoming TCP packets to it's tor proxy service:

-A PREROUTING -p tcp --syn -j REDIRECT --to-ports 9040

Also given second host (client) configured to use the tor router as gateway:

sudo ip route add 1.2.3.4 via ${TOR_ROUTER_IP}

Now, when I establish a TCP connection (HTTP) to 1.2.3.4, it hangs at "TCP_NODELAY set" for a bit before finally timing out:

curl -v https://1.2.3.4
*   Trying 1.2.3.4...        
* TCP_NODELAY set

While I run this command I can see the corresponding counter on the router increase constantly, using the following command:

iptables -t nat -L -v -n

This confirms that the rule mentioned at the beginning is actually applied. However, apparently no response is returned to the client (the curl command).

Consequently, I suspect an error in the iptables rules. But what is that error and how can it be resolved?

(Sidenote: I doubt it to be relevant, but the router is actually a docker container.)

Update: Here is the output of netstat -tulpen on the router:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:9040            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:9050            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.11:36045        0.0.0.0:*               LISTEN      -
udp        0      0 127.0.0.11:45140        0.0.0.0:*                           -
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -
user569825
  • 2,369
  • 1
  • 25
  • 45

1 Answers1

1

I would need more information to confirm a resolution of your issue.

What are you running on 1.2.3.4 that curl would collect? If you aren't hosting anything then you won't get anything back, which should be obvious.

Did you try disabling TCP_NODELAY for the packets you are expecting? It appears your connection is waiting for packets to be sent, and since there aren't any, it eventually times out.

I don't think your IP TABLE rules are wrong at all, or at least the way you present them seem to make sense.

So since I don't have more information:

  1. I would troubleshoot by pinging the ports you think are open on your docker, chances are they are not or not open to the outside, or they are mapped to different ports than you think, or selinux or something similar is block connections. You may need to explicitly allow the ports you need on both Docker and outside.

  2. I would also try upping permissions, meaning running things as sudo, especially the docker run command. Use docker exec to investigate the instance and ensure that it is open properly and running the services you expect.

james-see
  • 12,210
  • 6
  • 40
  • 47
  • The curl command works fine over clearnet (without said route), indicating that the remote HTTP host responds correctly and TCP_NODELAY may not be the issue. – user569825 Feb 11 '18 at 15:28
  • The proxy also does work fine when explicitly provided to the command. Eg `curl --proxy socks5h://${TOR_ROUTER_IP}:9050 https://check.torproject.org/api/ip`, indicating that permissions are unlikely an issue. So that leaves us with ports, which I'll investigate right away. – user569825 Feb 11 '18 at 15:31
  • So far the only suspicious thing I found is that `telnet localhost 9040` on the router immediately returns: _"Connection closed by foreign host"_ – user569825 Feb 11 '18 at 16:48