How to channel all traffic on Kali linux through Tor?

Question

I am new to Tor and linux in general, but I have installed Kali linux and installed Tor and downloaded Tor bundle, but I realised only when I browse through the Tor bundle browser is when my traffic is being channeled through Tor, excluding any other browser and application. Please advise how can I channel all my network traffic on Kali linux to pass through the Tor network. Note I am newbie to Tor and Kali. Thanks

Answer 1

Short answer:

Download Tails.

Long answer that more properly answers your qustion and use case:

Once Tor is installed (I'll leave that to you; I recommend using the official Tor repos for Debian), add the following to your torrc:

AutomapHostsOnResolve  1
DNSPort                53530
TransPort              9040

If you're using selinux (I'm not familiar with Kali, but I doubt you are), make sure Tor is allowed to bind to 9040:

semanage port -a -t tor_port_t -p tcp 9040

create a file to contain your iptables rules. For IPv4: /etc/iptables.firewall.rules and for IPv6: /etc/ip6tables.firewall.rules.

Now edit the IPv4 file and add something like the following (make sure to grep for TODO items and follow the instructions):

# Ues the nat table to redirect some traffic to Tor

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Don't allow Tor traffic to get stuck in a redirect loop...
# TODO: Is `tor' your actual Tor user? It might be `debian-tor' or `toranon' or something else.
-A OUTPUT -m owner --uid-owner tor -j RETURN

# Redirect DNS lookups to Tor.
# TODO: Set this to your Tor DNSPort if it's not 53530.
-A OUTPUT ! -o lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 53530

# Do not redirect private networks or loopback.
-A OUTPUT -d 10.0.0.0/8 -j RETURN
-A OUTPUT -d 172.16.0.0/12 -j RETURN
-A OUTPUT -d 192.168.0.0/16 -j RETURN

# Redirect HS connections to the TransPort.
-A OUTPUT -d 127.192.0.0/10 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040

# Redirect all TCP traffic to Tor's TransPort.
-A OUTPUT ! -o lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040

COMMIT

# Only accept anonymized network traffic in the filter table.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LAN - [0:0]

# Allow loopback
-A INPUT -i lo -j ACCEPT

# Allow connections that are already established.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Reject incoming connections.
-A INPUT -p udp -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-port-unreachable

# Accept network traffic for the Tor service itself.
# TODO: Tor user?
-A OUTPUT -m owner --uid-owner tor -j ACCEPT

# Accept DNS requests to the Tor DNSPort.
-A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53530 -j ACCEPT

# Accept outgoing traffic to the local Tor TransPort.
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9040 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

# Accept outgoing traffic to the local Tor SOCKSPorts.
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9050 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9150 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

# Accept connections on private networks.
-A OUTPUT -d 10.0.0.0/8 -j LAN
-A OUTPUT -d 172.16.0.0/12 -j LAN
-A OUTPUT -d 192.168.0.0/16 -j LAN
-A LAN -p tcp -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A LAN -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A LAN -j ACCEPT

# Reject all other outgoing traffic.
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT

For the IPv6 file, you can do something similar with ip6tables, or just drop all IPv6 traffic.

Now set these rules to be loaded on startup by creating the file /etc/network/if-pre-up.d/firewall with the following contents:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
/sbin/ip6tables-restore < /etc/ip6tables.firewall.rules

Restart Tor if needed, and load your new firewall rules manually by executing the previous commands.

Note that I haven't tested all of these rules (they were compiled from several places online), and there are likely to be leaks in ways that I'm not thinking of. Suggestions and improvements welcome. There may also be an easier way to set rules on your distribution; I'm not familiar with Kali beyond basic Debian administration.

Also note that you should NOT rely on this where perfect anonymity is a must. You're also going to have to think about the kinds of traffic you generate, and tweak your browsing habbits. The usual disclaimers apply.

Further reading

• How does Tor transparent proxying work?
• How to force all network traffic through Tor on Fedora (borrowed a lot of his ideas here to patch holes in my initial pass at the firewall)
• Tor documentation on the subject with workarounds for several leaks (not included here)

Answer 2

note that redirect your entire traffic through the Tor network isn't a good idea when you have to upgrade your packages or do things that require a lot of bandwidth. Anyway:

1) Install Tor (if you didn't already):

sudo apt-get install tor -y

2) Start Tor from the terminal:

user@notebook:~$ tor

For security reasons you should run Tor without root privileges, so you can create a separate user just for Tor:

sudo adduser tor --uid 3000

The ID of the "Tor user" should be the lower of the other users to minimize the security risks. After adding the "Tor user" you should create a Tor directory of Tor's user home:

cd /home/tor

mkdir .tor

That you have to change the current user:

su tor

And finally you can run Tor. Note that Tor opens a socks proxy on port 9050 by default, even if you don't configure one so what you have to do is to set the proxy to:

socks5://127.0.0.1:9050

And so go to system settings --> network --> proxy and here you are...

I suggest you to don't use Tor when you have to upgrade some packages or when you download big size data... even when you watch a video on youtube or other sites... this isn't a good idea either for you (because Tor's network is slow) or for the Tor network.

Answer 3

yes, it's possible, but you MUST use a separate box for it. I'm using Raspberry Pi 2 for this task, it performs pretty well. On your box you're not using anything unusual, and on the routing box you're using IPTables + TransPort Tor option. I'll complete my full article about this this week, but the brief config is : RunAsDaemon 1 PidFile /var/run/tor FastFirstHop 0 AllowSingleHopCircuits 0 EnforceDistinctSubnets 1 UseEntryGuards 1 DisableAllSwap 1 AvoidDiskWrites 1 NumCPUS 2 ConnLimit 8192 DataDirectory /usr/tor/data GeoIPFile /usr/tor/share/tor/geoip GeoIPv6File /usr/tor/share/tor/geoip6 Log notice stdout SocksListenAddress 127.0.0.1 SocksPort 9050 LongLivedPorts 21,22,80,443,465,554,636,706,873,993,995,1863,2401,3690,4155,5050,5190,5222,5223,5269,5298,6523,6666,6667,6668,6669,6697,6881,6882,6883,6884,6885,6886,6887,6888,6889,7000,8000,8010,8300,8554 ClientOnly 0 ORPort 443 Exitpolicy reject *:* VirtualAddrNetworkIPv4 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 127.0.0.1 DNSPort 53 DNSListenAddress 127.0.0.2 DisableDebuggerAttachment 0 DynamicDHGroups 1 User tor that was torrc, and in IPTables you're forwarding all the TCP traffic from your internal NIC to that TransPort. Do you need further help?