diff --git a/docs/configuration.rst b/docs/configuration.rst
index 1bb2d33..e50a8aa 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -149,31 +149,74 @@ set the ``tub.location`` option described below.
tub.port = 8098
tub.location = external-firewall.example.com:7912
- * Run a node behind a Tor proxy (perhaps via ``torsocks``), in client-only
- mode (i.e. we can make outbound connections, but other nodes will not
- be able to connect to us). The literal '``unreachable.example.org``' will
- not resolve, but will serve as a reminder to human observers that this
- node cannot be reached. "Don't call us.. we'll call you"::
+ * Run a node using Tor as a proxy (perhaps via ``torsocks`` or with
+ ``iptables`` transparent proxying), in client-only mode (i.e. we can make
+ outbound connections, but other nodes will not be able to connect to us).
+ The literal '``unreachable.example.org``' will not resolve, but will
+ serve as a reminder to human observers that this node cannot be reached.
+ "Don't call us.. we'll call you"::
tub.port = 8098
tub.location = unreachable.example.org:0
- * Run a node behind a Tor proxy, and make the server available as a Tor
- "hidden service". (This assumes that other clients are running their
- node with ``torsocks``, such that they are prepared to connect to a
- ``.onion`` address.) The hidden service must first be configured in
- Tor, by giving it a local port number and then obtaining a ``.onion``
- name, using something in the ``torrc`` file like::
+ * Run a node as a Tor Hidden Service, and make the server available only to
+ those connecting through the Tor network. This provides location
+ anonymity for your Tahoe node; usage of Tor's Hidden Service
+ authentication mechanisms may also be relevant.
+ (This assumes that other clients are running their node with
+ ``torsocks``, such that they are prepared to connect to a ``.onion``
+ address.) The hidden service must first be configured in Tor, by giving
+ it a local port number and then obtaining a ``.onion`` name, using
+ something in the ``torrc`` file like::
HiddenServiceDir /var/lib/tor/hidden_services/tahoe
- HiddenServicePort 29212 127.0.0.1:8098
+ HiddenServicePort 443 127.0.0.1:4443
once Tor is restarted, the ``.onion`` hostname will be in
``/var/lib/tor/hidden_services/tahoe/hostname``. Then set up your
``tahoe.cfg`` like::
- tub.port = 8098
- tub.location = ualhejtq2p7ohfbb.onion:29212
+ nickname = ualhejtq2p7ohfbb.onion
+ tub.port = tcp:4443:interface=127.0.0.1
+ tub.location = ualhejtq2p7ohfbb.onion:443
+
+ Here is an example of bash script to load ``iptables`` rules. It will
+ transparently route outgoing TCP connections through Tor:
+
+ #!/bin/bash -x
+ # This is a small script to ensure that the Tahoe-LAFS user always uses
+ # Tor to access the internet (when running as $TAHOEUSER).
+ TAHOEUSER=tahoe-lafs
+ TAHOEPORT=4443
+ TORTRANSPORT=9040
+ DNSPORT=5353
+
+ iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner $TAHOEUSER -m \
+ tcp --syn -d 127.0.0.1 --dport $TAHOEPORT -j ACCEPT
+
+ # The following rules will transparently Torify everything outgoing
+ iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner $TAHOEUSER -m \
+ tcp -j REDIRECT --to-ports $TORTRANSPORT
+
+ iptables -t nat -A OUTPUT -p udp -m owner --uid-owner $TAHOEUSER -m \
+ udp --dport 53 -j REDIRECT --to-ports $DNSPORT
+
+ # Accept redirected data in the filter chain
+ iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner $TAHOEUSER \
+ -m tcp --dport $TORTRANSPORT -j ACCEPT
+
+ iptables -t filter -A OUTPUT -p udp -m owner --uid-owner $TAHOEUSER \
+ -m \ udp --dport 53 -j ACCEPT
+
+ # Drop everything else tahoe does
+ iptables -t filter -A OUTPUT -m owner --uid-owner $TAHOEUSER -j DROP
+
+ Tor must be configured to support ``iptables`` transparent proxying.
+ Ensure Tor is configured with at least the following options:
+
+ TransPort 9040
+ DNSPort 5353
+ AutomapHostsOnResolve 1
Most users will not need to set ``tub.location``.