31C3/laptop preparation

Laptop preparation
Goal is easy: prevent unauthorized accesses to your laptop while still being able to access resources. Oh, and, ensure resources aren't faked or messed up by some rogue proxy.

It's mainly based on CCC Survival Guide. It's a (very) good start to follow their advices, especially regarding physical protection ;).

Network
The proposed setup is based on two Onion Routers : i2p and Tor. The first one is optional, but it's always cool having some new stuff in order to try them. Well, new… i2p is 11 years old now ;).

All is based on Debian Sid, but most of the packages are present on Arch, Ubuntu, Gentoo and so on.

Get package
First, install Tor. On Debian, we can use Torporject sources in order to get the latest official releases:

You can get the distribution code with this command:.

You will also need the GPG key in order to be able to validate packages: gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Then,.

Configuration
Now we have the package and related daemon, we have to configure it a bit. As the main aim of this setup is to make all the traffic through Tor, here are the settings you'll need. You may empty the file and copy&paste this: SocksPort 9050 IsolateDestAddr IsolateDestPort SafeSocks 0 TestSocks 1 TransPort 9040 TransListenAddress 127.0.0.1 DNSPort 5400 DNSListenAddress 127.0.0.1 NumCPUs 1 VirtualAddrNetwork 10.192.0.0/10 AvoidDiskWrites 1 AutomapHostsOnResolve 1
 * 1) Create SOCKS port, and ensure we isolate streams
 * 1) This port will be used for "non-socks" connection. I.e. for
 * 2) stupid apps which just don't know what a SOCKS is
 * 1) Create a listener for DNS queries.

Comments should be enough, but you might want to read some more documentation about the tor configuration file.

Restart Tor with, and we're done :).

i2p
As said, this step is optional. But anyway, it's cool. And even easier in fact.

Get package
Add the following source to your Debian system:

Import the following key for package signature:

Install required packages:

Edit the  file in order to enable the daemon. Start it with, and… well, that's all ;).

More information available here.

IPTables
Now we hit the game: we might as well kill our connection capabilities, or make some great things. After all, that's IPTables ;)

There are multiple goals with the proposed configuration:
 * 1) lock out the intruders
 * 2) force outgoing traffic through Tor by default
 * 3) allow "smart" application to connect by them-selves to the SOCKS or Transproxy
 * 4) allow i2p to go out freely
 * 5) allow Tor to go out freely

More over, we want this policy to be enforced as soon as we get network. In order to do so, we will need an "iptables-restore" call, and a script/configuration to feed it.

The following content is to be put in /etc/network/iptables file (or something like that, you'll have to create the file anyway). We will explain bellow how it works.


 * filter
 * INPUT DROP [1:264]
 * FORWARD ACCEPT [0:0]
 * OUTPUT DROP [60:12415]

-A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i vboxnet0 -j ACCEPT -A INPUT -j LOG --log-prefix "INPUT DROP "

-A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m owner --uid-owner debian-tor -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -m owner --uid-owner i2psvc -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 5400 -j ACCEPT -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9050 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9040 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A OUTPUT -d 127.0.0.1/32 -s 127.0.0.1/32 -p tcp -m tcp --dport 631 -j ACCEPT -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP " COMMIT


 * nat
 * INPUT DROP [524:86738]
 * PREROUTING ACCEPT [0:0]
 * POSTROUTING ACCEPT [0:0]
 * OUTPUT ACCEPT [637739:421546290]

-A OUTPUT -m owner --uid-owner debian-tor -j RETURN -A OUTPUT -m owner --uid-owner i2psvc -j RETURN -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5400 -A OUTPUT -p udp -m udp --dport 123 -j REDIRECT --to-ports 123 -A OUTPUT ! -o lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 -A OUTPUT -j LOG --log-prefix "OUTPUT nat DROP " -A INPUT -j LOG --log-prefix "INPUT nat DROP " COMMIT

So. How does it work? Pretty easy in the end: with iptables, we can filter packets by user ID, i.e. iptables knows "who" sends the packet it's filtering. As bot Tor and i2p daemon have dedicated users, we can tell iptables to let those two guys connections, while forcing the others through Tor. Or whatever you want, in fact.

The filter table (block starting with the *filter) will manage the IN and OUT, allowing only i2p and tor traffic out, while allowing related traffic in. It will force non-i2p/tor traffic to go through Tor TransPort we defined earlier, and it will also redirect DNS queries to Tor in order to avoid DNS poisoning.

The nat table (block starting with *nat) will do the redirects.

In order to enforce that, you'll need to edit your  file and add the following line in your eth0/wlan0 definitions:.

Physical
Feel free to add stuff ;).