Route all traffic except Tor through an SSH connection

Question

I have an SSH tunnel set up (on Linux) and I want to route all my network traffic through it, except that I also have Tor running and I do not want Tor traffic to go through the SSH tunnel. I can route all traffic through the SSH tunnel by using redsocks (I make SSH run a SOCKS proxy, run redsocks, and use an iptables rule to redirect all traffic to redsocks, so all traffic goes through the tunnel).

However I do not know how to have Tor avoid the tunnel and make direct connections... iptables used to have a --pid-owner option which would have been perfect for this but it was removed because it could not be implemented properly.

So, what is the best way to do this, now? (The SSH tunnel approach is fixed: I cannot switch to a different kind of VPN.)

Answer 1

• Run tor on the same system you're running redsocks on.
• Make an exception for the tor socks port 9050 on your remote system - put an iptables rule above allowing it, etc.
• Tell your browser to connect to {remote system IP}:9050 for Tor use instead of localhost.
• If you are also running privoxy locally, consider running that on the remote system too.

Another thing is to use a different SOCKS proxy that lets you forward certain ports to another local proxy server. I think squid lets you do this.

Answer 2

The iptables option is --uid-owner, part of the -m owner match, which may be why you had so much trouble finding it.

A rule like this would work:

-A OUTPUT -m owner --uid-owner 998 -m conntrack --ctstate NEW -j ACCEPT

where 998 is instead tor's UID. And where you adapt it to your existing firewall.