From 66def778a541f7d7241c9ba02be774adbc495dd8 Mon Sep 17 00:00:00 2001
From: Jacob Appelbaum <jacob@appelbaum.net>
Date: Fri, 5 Aug 2011 15:45:36 -0700
Subject: torouter-prep package

---
 packages/torouter-prep/src/linux-tor-prio.sh    | 192 ++++++++++++++++++++++++
 packages/torouter-prep/src/torouter_config.sh   | 157 +++++++++++++++++++
 packages/torouter-prep/src/torouter_takeover.sh |   3 +
 3 files changed, 352 insertions(+)
 create mode 100644 packages/torouter-prep/src/linux-tor-prio.sh
 create mode 100644 packages/torouter-prep/src/torouter_config.sh
 create mode 100644 packages/torouter-prep/src/torouter_takeover.sh

(limited to 'packages/torouter-prep/src')

diff --git a/packages/torouter-prep/src/linux-tor-prio.sh b/packages/torouter-prep/src/linux-tor-prio.sh
new file mode 100644
index 0000000..ea9e0dd
--- /dev/null
+++ b/packages/torouter-prep/src/linux-tor-prio.sh
@@ -0,0 +1,192 @@
+#!/bin/bash
+# Written by Marco Bonetti & Mike Perry
+# Based on instructions from Dan Singletary's ADSL BW Management HOWTO:
+# http://www.faqs.org/docs/Linux-HOWTO/ADSL-Bandwidth-Management-HOWTO.html
+# This script is Public Domain.
+
+############################### README #################################
+
+# This script provides prioritization of Tor traffic below other
+# traffic on a Linux server. It has two modes of operation: UID based 
+# and IP based. 
+
+# UID BASED PRIORITIZATION
+#
+# The UID based method requires that Tor be launched from 
+# a specific user ID. The "User" Tor config setting is
+# insufficient, as it sets the UID after the socket is created.
+# Here is a C wrapper you can use to execute Tor and drop privs before 
+# it creates any sockets. 
+#
+# Compile with:
+# gcc -DUID=`id -u tor` -DGID=`id -g tor` tor_wrap.c -o tor_wrap
+#
+# #include <unistd.h>
+# int main(int argc, char **argv) {
+# if(initgroups("tor", GID) == -1) { perror("initgroups"); return 1; }
+# if(setresgid(GID, GID, GID) == -1) { perror("setresgid"); return 1; }
+# if(setresuid(UID, UID, UID) == -1) { perror("setresuid"); return 1; }
+# execl("/bin/tor", "/bin/tor", "-f", "/etc/tor/torrc", NULL);
+# perror("execl"); return 1;
+# }
+
+# IP BASED PRIORITIZATION
+#
+# The IP setting requires that a separate IP address be dedicated to Tor. 
+# Your Torrc should be set to bind to this IP for "OutboundBindAddress", 
+# "ListenAddress", and "Address".
+
+# GENERAL USAGE
+#
+# You should also tune the individual connection rate parameters below
+# to your individual connection. In particular, you should leave *some* 
+# minimum amount of bandwidth for Tor, so that Tor users are not 
+# completely choked out when you use your server's bandwidth. 30% is 
+# probably a reasonable choice. More is better of course.
+#
+# To start the shaping, run it as: 
+#   ./linux-tor-prio.sh 
+#
+# To get status information (useful to verify packets are getting marked
+# and prioritized), run:
+#   ./linux-tor-prio.sh status
+#
+# And to stop prioritization:
+#   ./linux-tor-prio.sh stop
+#
+########################################################################
+
+# BEGIN USER TUNABLE PARAMETERS
+
+DEV=eth0
+
+# NOTE! You must START Tor under this UID. Using the Tor User
+# config setting is NOT sufficient. See above.
+TOR_UID=$(id -u tor)
+
+# If the UID mechanism doesn't work for you, you can set this parameter
+# instead. If set, it will take precedence over the UID setting. Note that
+# you need multiple IPs with one specifically devoted to Tor for this to
+# work.
+#TOR_IP="42.42.42.42"
+
+# Average ping to most places on the net, milliseconds
+RTT_LATENCY=40
+
+# RATE_UP must be less than your connection's upload capacity in
+# kbits/sec. If it is larger, then the bottleneck will be at your
+# router's queue, which you do not control. This will cause congestion
+# and a revert to normal TCP fairness no matter what the queing
+# priority is.
+RATE_UP=5000
+
+# RATE_UP_TOR is the minimum speed your Tor connections will have in
+# kbits/sec.  They will have at least this much bandwidth for upload.
+# In general, you probably shouldn't set this too low, or else Tor
+# users who use your node will be completely choked out whenever your
+# machine does any other network activity. That is not very fun.
+RATE_UP_TOR=1500
+
+# RATE_UP_TOR_CEIL is the maximum rate allowed for all Tor trafic in
+# kbits/sec.
+RATE_UP_TOR_CEIL=5000
+
+CHAIN=OUTPUT
+#CHAIN=PREROUTING
+#CHAIN=POSTROUTING
+
+MTU=1500
+AVG_PKT=900 # should be more like 600 for non-exit nodes
+
+# END USER TUNABLE PARAMETERS
+
+
+
+# The queue size should be no larger than your bandwidth-delay
+# product. This is RT latency*bandwidth/MTU/2
+
+BDP=$(expr $RTT_LATENCY \* $RATE_UP / $AVG_PKT)
+
+# Further research indicates that the BDP calculations should use
+# RTT/sqrt(n) where n is the expected number of active connections..
+
+BDP=$(expr $BDP / 4)
+
+if [ "$1" = "status" ]
+then
+	echo "[qdisc]"
+	tc -s qdisc show dev $DEV
+	tc -s qdisc show dev imq0
+	echo "[class]"
+	tc -s class show dev $DEV
+	tc -s class show dev imq0
+	echo "[filter]"
+	tc -s filter show dev $DEV
+	tc -s filter show dev imq0
+	echo "[iptables]"
+	iptables -t mangle -L TORSHAPER-OUT -v -x 2> /dev/null
+	exit
+fi
+
+
+# Reset everything to a known state (cleared)
+tc qdisc del dev $DEV root 2> /dev/null > /dev/null
+tc qdisc del dev imq0 root 2> /dev/null > /dev/null
+iptables -t mangle -D POSTROUTING -o $DEV -j TORSHAPER-OUT 2> /dev/null > /dev/null
+iptables -t mangle -D PREROUTING -o $DEV -j TORSHAPER-OUT 2> /dev/null > /dev/null
+iptables -t mangle -D OUTPUT -o $DEV -j TORSHAPER-OUT 2> /dev/null > /dev/null
+iptables -t mangle -F TORSHAPER-OUT 2> /dev/null > /dev/null
+iptables -t mangle -X TORSHAPER-OUT 2> /dev/null > /dev/null
+ip link set imq0 down 2> /dev/null > /dev/null
+rmmod imq 2> /dev/null > /dev/null
+
+if [ "$1" = "stop" ]
+then
+	echo "Shaping removed on $DEV."
+	exit
+fi
+
+# Outbound Shaping (limits total bandwidth to RATE_UP)
+
+ip link set dev $DEV qlen $BDP
+
+# Add HTB root qdisc, default is high prio
+tc qdisc add dev $DEV root handle 1: htb default 20
+
+# Add main rate limit class
+tc class add dev $DEV parent 1: classid 1:1 htb rate ${RATE_UP}kbit
+
+# Create the two classes, giving Tor at least RATE_UP_TOR kbit and capping
+# total upstream at RATE_UP so the queue is under our control.
+tc class add dev $DEV parent 1:1 classid 1:20 htb rate $(expr $RATE_UP - $RATE_UP_TOR)kbit ceil ${RATE_UP}kbit prio 0
+tc class add dev $DEV parent 1:1 classid 1:21 htb rate $[$RATE_UP_TOR]kbit ceil ${RATE_UP_TOR_CEIL}kbit prio 10
+
+# Start up pfifo
+tc qdisc add dev $DEV parent 1:20 handle 20: pfifo limit $BDP
+tc qdisc add dev $DEV parent 1:21 handle 21: pfifo limit $BDP
+
+# filter traffic into classes by fwmark
+tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20
+tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 21 fw flowid 1:21
+
+# add TORSHAPER-OUT chain to the mangle table in iptables
+iptables -t mangle -N TORSHAPER-OUT
+iptables -t mangle -I $CHAIN -o $DEV -j TORSHAPER-OUT
+
+
+# Set firewall marks
+# Low priority to Tor
+if [ ""$TOR_IP == "" ]
+then
+	echo "Using UID-based QoS. UID $TOR_UID marked as low priority."
+	iptables -t mangle -A TORSHAPER-OUT -m owner --uid-owner $TOR_UID -j MARK --set-mark 21
+else
+	echo "Using IP-based QoS. $TOR_IP marked as low priority."
+	iptables -t mangle -A TORSHAPER-OUT -s $TOR_IP -j MARK --set-mark 21
+fi
+
+# High prio for everything else
+iptables -t mangle -A TORSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 20
+
+echo "Outbound shaping added to $DEV.  Rate for Tor upload at least: ${RATE_UP_TOR}Kbyte/sec."
+
diff --git a/packages/torouter-prep/src/torouter_config.sh b/packages/torouter-prep/src/torouter_config.sh
new file mode 100644
index 0000000..7a6a581
--- /dev/null
+++ b/packages/torouter-prep/src/torouter_config.sh
@@ -0,0 +1,157 @@
+#!/bin/bash -x
+
+echo "This program will reconfigure your Debian system into a Torouter"
+exit 0
+echo "This is where we'd take over the entire Torouter system"
+
+# For every file we touch, move it to the temp_dir and then tar it up in the end
+temp_dir="`mktemp -d`"
+
+# Add a user
+ADMINUSER="toradmin"
+ADMINGROUP="toradmin"
+
+# Install the Tor repo key
+gpg --keyserver keys.gnupg.net --recv 886DDD89
+gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
+
+cp /etc/hosts $temp_dir/
+# Stomp on the hosts file
+cat << EOF > /etc/hosts
+127.0.0.1 localhost
+EOF
+
+cp /etc/hostname $temp_dir/
+# Set us to have a default host name
+echo "torouter" > /etc/hostname
+
+# We need to prep apt to understand that we want packages from other repos
+# We append to the current package list
+cat << EOF >> /etc/apt/sources.list
+# Tor's debian package repo:
+deb http://deb.torproject.org/torproject.org squeeze main
+deb http://deb.torproject.org/torproject.org experimental-squeeze main
+
+# Add Debian backports for OpenNTPD, libminiupnpc-dev, libminiupnpc5
+# http://packages.debian.org/squeeze-backports/libminiupnpc-dev
+deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free
+
+# Add Debian experimental for libnatpmp0
+# http://packages.debian.org/experimental/libnatpmp0
+deb http://ftp.debian.org/debian experimental main
+deb-src http://ftp.debian.org/debian experimental main
+
+EOF
+
+# We're creating this file to ensure we get updates
+cat << 'EOF' > /etc/apt/preferences.d/backports
+Package: *
+Pin: release a=squeeze-backports
+Pin-Priority: 200
+EOF
+
+apt-get -y update
+
+# Install some other packages here:
+apt-get -y install denyhosts ufw 
+
+# Allow us to set the clock:
+apt-get -y -t squeeze-backports install openntpd
+
+# Install Tor and deps:
+apt-get -y install tor tor-geoipdb
+
+# To build with natpmp support
+apt-get -y -t experimental install libnatpmp0
+
+# To build with miniupnpc support
+apt-get -y -t squeeze-backports install libminiupnpc-dev
+apt-get -y -t squeeze-backports install libminiupnpc5
+
+# XXX
+# We want to apt-get source tor and build it for the 0.2.3.x branch
+#
+
+# Install a Tor controller:
+apt-get -y install tor-arm
+
+# Install a normal dns cache for eth1
+apt-get -y install dnsmasq
+
+##
+## Configuration stage of the script
+##
+
+# Configure arm
+zcat /usr/share/doc/tor-arm/armrc.sample.gz > ~$(ADMINUSER)/.armrc
+# XXX This is where we will call torrc-takeover.py when it is packaged
+
+# XXX We should reconfigure /etc/inittab here
+
+# Configure the network
+# eth0 is our "internet" interface with a dhcp client
+cat << 'EOF' >  /etc/network/interfaces
+# The primary network interface
+allow-hotplug eth0
+iface eth0 inet dhcp
+
+#
+# XXX Configure eth1 and ap0 here
+#
+
+EOF
+
+# XXX We should configure ufw here
+# ufw allow 
+# XXX We should configure denyhosts
+# XXX We should configure dnsmasq
+# XXX We should configure the DHCP server here
+
+cp /etc/tor/torrc $temp_dir/
+# configure Tor and stomp on the current Tor config
+cat << 'EOF' > /etc/tor/torrc
+# Run Tor as a bridge/relay only, not as a client
+SocksPort 0
+
+# What port to advertise for incoming Tor connections
+ORPort 443
+
+# We're on a flash file system
+AvoidDiskWrites 1
+
+# Be a bridge
+BridgeRelay 1
+
+# Rate limited
+BandwidthRate 50KB
+
+# Don't allow any Tor traffic to exit
+Exitpolicy reject *:*
+
+# Allow a controller (tor-arm) on this system to configure Tor:
+ControlPort 9051
+ControlListenAddress 127.0.0.1:9051
+CookieAuthentication 1
+EOF
+
+# Remove a bunch of stuff:
+apt-get -y remove exim4-base exim4-config exim4-daemon-light dbus 
+
+## Disable ipv6 support
+cp /etc/sysctl.d/disableipv6.conf $temp_dir/
+echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
+cp /etc/sshd_config $temp_dir/
+echo "AddressFamily inet" >> /etc/ssh/ssh_config
+
+##
+## Restart services here
+##
+
+/etc/init.d/ssh restart
+/etc/init.d/tor restart
+
+##
+## Touch a stamp to show that we're now a Torouter
+##
+
+echo "torouter" > /etc/torouter
diff --git a/packages/torouter-prep/src/torouter_takeover.sh b/packages/torouter-prep/src/torouter_takeover.sh
new file mode 100644
index 0000000..2b76502
--- /dev/null
+++ b/packages/torouter-prep/src/torouter_takeover.sh
@@ -0,0 +1,3 @@
+# This program will wrap debtakeover:
+# http://www.hadrons.org/~guillem/debian/debtakeover/
+
-- 
cgit v1.2.3