Tor, short for The Onion Router, is free and open-source software for enabling anonymous communication
Some people say that Tor network is used by people which don’t have access to uncensured infromations in the country where they are. This is true, but … Tor network is used as well by individuals who are using Tor’s ability of anonymous communications and trying to probe/hack your server(s) or other network devices.
To block or not to block ? it’s Your decision.
Tor publish list of IPs on which one all Tor exit nodes are running under url https://check.torproject.org/torbulkexitlist. We will use this data to create ipset setname which will contains all IPs published on url. Next we will use iptables to create rule which will DROP all trafic listed in ipset defined setname. List of Tor’s exit nodes IPs published by Tor project is dynamic, so we will run ipset setname creation daily via cron.
This solution will not only works on router with installed OpenWRT software. It will work on any router or Linux/Unix system with running IPtables and installed ipset utility. I choose to run it on my router as it is my main network device which connects me to Internet.
Prerequirements
To make this script working on OpenWrt, it requires packages wget, ipset, libustream-openssl to be installed:
# opkg update
# opkg install libustream-openssl ipset wget
On other Linux/Unix systems, general requirements is to have installed software packages iptables,ipset and wget.
To clone repository with ipsetbuild source code you will need git, but you don’t have to install it on your router. Clone repository https://github.com/monsoft/ipsetbuild.git on your local workstation and only copy nesesery file to the router.
To clone repository run command:
# git clone https://github.com/monsoft/ipsetbuild.git
Script installation
Create /opt/ipsetbuild directory in your filesystem (in filesystem of my OperWrt /opt directory doesn’t exist ) by running command:
# mkdir -p /opt/ipsetbuild
Copy listbuilder.sh script to /opt/ipsetbuild and setup execution bit on it:
# cp listbuilder.sh /opt/ipsetbuild
# chmod u+x listbuilder.sh
Setup
Add ipset and rule configuration to IPtables firewall by adding below lines to end of /etc/config/firewall file right bofore config include line:
config ipset
option name 'tornodes'
option match 'src_ip'
option storage 'hash'
option enabled '1'
config rule
option src 'wan'
option ipset 'tornodes'
option dest '*'
option target 'DROP'
option name 'DENY-from-TOR-Network'
list proto 'all'
and restart firewall service:
# /etc/init.d/firewall reload
After configuring firewall, run script manually for 1st time:
# /opt/ipsetbuild/listbuilder.sh
It should pull data from Tor webiste and place them into tornodes setname. You can check it by running:
# ipset list tornodes|wc -l
1248
Crontab
I choose to run script once a day at 1AM but You can run it at different time and withh different frequency. Run crontab -e and add line to crontab setup:
0 1 * * * /opt/ipsetbuild/listbuilder.sh
After some time, you can login to your router and check IPtable rule conuter so see if rule blocked any traffic:
# iptables -L -n -v |grep DENY-from-TOR-Network
62 3564 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set tornodes src /* !fw3: DENY-from-TOR-Network */
Since OpenWrt version 22.03 there is not iptables and ipset as both has been replaced by nftables. I uploaded another version of ipsetbuild to GitHub repository called listbuilder_nft.sh.
Installation and configuration is quite similar to iptables version.
Script installation
Follow instruction for iptables version but with using file listbuilder_nft.sh instead of listbuilder.sh.
Setup
Add below lines to /etc/config/firewall :
config ipset
option name 'tornodes'
option match 'src_net'
option storage 'hash'
option enabled '1'
option loadfile '/etc/tornodes.ips'
config rule
option src 'wan'
option ipset 'tornodes'
option dest '*'
option target 'DROP'
option name 'DENY-from-TOR-Network'
list proto 'all'
Create file /etc/tornodes.ips by running touch command:
touch /etc/tornodes.ips
Reload firewall service on OpenWrt:
/etc/init.d/firewall reload
This setup creates nftables set named tornodes with list of IPs stored in file /etc/tornodes.ips.
1st Run
Run script manually to populate /etc/tornodes.ips file and inject its contento into tornodes.
/opt/ipsetbuild/listbuilder_nft.sh
You can check if IPs has been added to set by running command:
nft list set inet fw4 tornodes
and count entries:
nft list set inet fw4 tornodes|grep -o ','|wc -l
Crontab
Setup crontab to run at 1AM each day:
0 1 * * * /opt/ipsetbuild/listbuilder_nft.sh