Recently, I read tons of stuff about restricting the container networking to Tor only -for both docker and podman-, but at the end of the day, only thing I had was confusion.
Most of the articles and setups I found on internet were just creating a tor docker image and then exposing port 9050, so that the software in other containers can use this as proxy (i.e - via ALL_PROXY environment variable). Some related projects/articles I found: (discource prevents me giving links, so I’m giving the keywords to search on internet)
- github redoracle/tor-gateaway
- strm.sh restricting-container-networking-to-tor-only
- oneuptime .com - How to Forward Docker Container Traffic Through Tor
- dockurr/tor - Docker Image
But as I said, most of these are just serving tor proxy, and not restricting network to Tor-only. Any software that choose not to respect proxy environment variable can easily make clearnet connections. So, at this point I thought that maybe I have to make some firewall rules within a network container, and I came across to this project:
- GitHub - hardcore-sushi/TorVirt
I haven’t used this one, since I find it quite complex and have some concerns about its reliability. I also don’t possess enough technical knowledge to judge its reliability, but I also don’t have such knowledge to rewrite a new container image with firewall rules etc. (yes I can write, and yes it can work and show {“IsTor”:true}, but when it comes to “being sure that it is robust”, I lack this kind of technical judgment).
Some stuff that I found in forum and which could be related: (I’m giving post numbers in url)
- Debian-OneVM, AnonOneVM… - 5470
- Torifying a Linux Container with Whonix Gateway Firewall Rules - 243
- Docker Container that builds Whonix Images - 17494
but after being flooded with so much information, I can’t tell which method is the most reliable one.
Also considering the podman’s own networking stuff (pods etc.), what would be the most robust setup for this kind of -rather- rootless networking setup for podman containers? Would it be somehow possible to have a network/pod that I can just plug-in to the containers I want them to run over Tor, and prevent any leakage?
PS: this setup should also work on arm64 (raspberry pi etc.) where having a real whonix is impossible.