- script to setup iptables redsocks and tor to force all traffic over tor

networking/redsocks.conf

+base {
+	// debug: connection progress & client list on SIGUSR1
+	log_debug = off;
+
+	// info: start and end of client session
+	log_info = on;
+
+	/* possible `log' values are:
+	 *   stderr
+	 *   "file:/path/to/file"
+	 *   syslog:FACILITY  facility is any of "daemon", "local0"..."local7"
+	 */
+	log = "syslog:daemon";
+
+	// detach from console
+	daemon = on;
+
+	/* Change uid, gid and root directory, these options require root
+	 * privilegies on startup.
+	 * Note, your chroot may requre /etc/localtime if you write log to syslog.
+	 * Log is opened before chroot & uid changing.
+	 */
+	user = redsocks;
+	group = redsocks;
+	// chroot = "/var/chroot";
+
+	/* possible `redirector' values are:
+	 *   iptables   - for Linux
+	 *   ipf        - for FreeBSD
+	 *   pf         - for OpenBSD
+	 *   generic    - some generic redirector that MAY work
+	 */
+	redirector = iptables;
+}
+
+redsocks {
+	/* `local_ip' defaults to 127.0.0.1 for security reasons,
+	 * use 0.0.0.0 if you want to listen on every interface.
+	 * `local_*' are used as port to redirect to.
+	 */
+	local_ip = 127.0.0.1;
+	local_port = 12345;
+
+	// `ip' and `port' are IP and tcp-port of proxy-server
+	// You can also use hostname instead of IP, only one (random)
+	// address of multihomed host will be used.
+	ip = 127.0.0.1;
+	port = 9050;
+
+
+	// known types: socks4, socks5, http-connect, http-relay
+	type = socks5;
+
+	// login = "foobar";
+	// password = "baz";
+}
+
+redudp {
+	// `local_ip' should not be 0.0.0.0 as it's also used for outgoing
+	// packets that are sent as replies - and it should be fixed
+	// if we want NAT to work properly.
+	local_ip = 127.0.0.1;
+	local_port = 10053;
+
+	// `ip' and `port' of socks5 proxy server.
+	ip = 192.0.2.1;
+	port = 1080;
+	login = username;
+	password = pazzw0rd;
+
+	// kernel does not give us this information, so we have to duplicate it
+	// in both iptables rules and configuration file.  By the way, you can
+	// set `local_ip' to 127.45.67.89 if you need more than 65535 ports to
+	// forward ;-)
+	// This limitation may be relaxed in future versions using contrack-tools.
+	dest_ip = 192.0.2.2;
+	dest_port = 53;
+
+	udp_timeout = 30;
+	udp_timeout_stream = 180;
+}
+
+dnstc {
+	// fake and really dumb DNS server that returns "truncated answer" to
+	// every query via UDP, RFC-compliant resolver should repeat same query
+	// via TCP in this case.
+	local_ip = 127.0.0.1;
+	local_port = 5300;
+}
+
+// you can add more `redsocks' and `redudp' sections if you need.

networking/torred

+#!/bin/bash
+
+export DEPS=tor redsocks
+export NUMARGS=1
+export USAGE="./torred [on/off]"
+export SRCROOT="../"
+source "$SRCROOT/HBL"
+
+UUID=1000 # uuid of the user you want to force tor upon
+
+check_root
+check_dependencies $DEPS
+check_num_args $#
+
+
+setup_iptables()
+{
+	iptables -t nat -N REDSOCKS
+
+	iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
+	iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
+	iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
+	iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
+	iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
+	iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
+	iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
+	iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
+	iptables -t nat -A REDSOCKS -d 10.205.0.0/8 -j RETURN
+
+	iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
+
+	iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner 1000 -j REDSOCKS
+}
+
+remove_iptables()
+{
+	iptables -t nat -F
+}
+
+if [[ $1 = "on" ]]
+then
+	printf "turning on...\n"
+	setup_iptables
+	/etc/init.d/redsocks restart
+fi
+
+if [[ $1 = "off" ]]
+then
+	printf "turning off...\n"
+	remove_iptables
+	/etc/init.d/redsocks stop
+fi
+