# TOR on firewall to transparently torrify local traffic - HOW

## DawgG

for internet-access at home i use a nat-firewall (as default-gw) for all clients to connect to the web. it blindly nats everything (trusted network, sniffing network data is not an issue) and only accepts connections on one port from the outside.

i would like to reconfigure it so that all traffic from the inside is routed thru the tor-network but the clients don't "notice" this and nothing on them has to be set up differently. ideally when i start tor (on the nat-gw) all traffic goes thru that and when i stop it the traffic goes "directly" and unencrypted to the dest-servers (like now). and of course i want to be able to run a relay to donate some bandwidth to the tor-network.

i've found some howtos but noe adress this issue directly (eg i don't want to make the nat-gw listen on some port and then reconfigure everything on the clients to just connect to that port)

i have some basic ideas about all this but i am not sure how to put it together correctly.

(since i don't want to change anything on the clients all this refers to the nat-gw)

iptables/kernel

-turn ip-forwarding off (?)

-accept all traffic on the internal interface and redirect it to locally listening tor-server (127.0.0.1:9050)

-let the local tor-process make outbound connections to torports on all hosts

-handle the inbound connections that "come back"

-accept connections from external if to local tor-process when i run a tor-relay and its outbound connections

-redistribute the connections correctly back to the local clients

if it's possible it would be nice to exclude some stuff from tor and let it connect directly - ntp with tor might not be so nice.

tor

-configure it to accept and handle all connections from localhost (127.0.0.1:9050)

-configure it to accept relay-connections from the outside

the torrifying local gateway and the tor-relay don't have to run at the same time; i can just write some scripts that start one or the other or restore un-torrified nat.

btw, the box runs from a cf-card and a ramdisk on an old epia-board - is it powerful enough to do all the encryption?

so - any ideas for rules and configs? i can probably figure it all out myself some time but any help and ideas are greatly appreciated!

----------

## Hu

You can set iptables to route ntp directly and redirect other traffic into the Tor network.  A difficulty could arise if Tor is not designed to handle redirected connections, in which case you will need some way of advising the Tor server of the original destination of the connection you redirected to it.

----------

