[tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?
Toralf Förster
toralf.foerster at gmx.de
Wed Jan 10 21:10:15 UTC 2018
On 01/10/2018 06:39 AM, teor wrote:
> iptables -I INPUT -p tcp --syn ! --dport 22 -m state --state NEW -m recent --set
> iptables -I INPUT -p tcp --syn ! --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 100 -j DROP
What's about the following approach;
IPT="/sbin/iptables"
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
# trust already established connections
#
$IPT -A INPUT --match conntrack --ctstate ESTABLISHED -j ACCEPT
$IPT -A INPUT --match conntrack --ctstate RELATED -j ACCEPT
$IPT -A INPUT --match conntrack --ctstate INVALID -j DROP
# Tor
#
for p in 443 80
do
$IPT -A INPUT -p tcp --syn --destination-port $p --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
$IPT -A INPUT -p tcp --destination-port $p -j ACCEPT
done
Those rules should not prevent clients behind a NAT from accessing the relay as long as the clients do not come in in parallel.
Objections ?
--
Toralf
PGP C4EACDDE 0076E94E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180110/822280fc/attachment.sig>
More information about the tor-relays
mailing list