[tor-relays] wrong iptables rules? / no inbound traffic in nyx

Tue Jan 25 21:54:00 UTC 2022

Hi!

I noticed that after I have set up my ip(+6)tables up to filter unwanted incoming traffic all "inbound" and "directory" connections in nyx disappeared, only lot of "outbound" connections are there.

I am running exit relay (IPv4+IPv6) on ORPort 443 and DIRPort 80.

Is there someone willing to check my iptable rules? I am starting to lose it...

> My iptables:
> -P INPUT DROP
> 

> -P FORWARD DROP
> 

> -P OUTPUT DROP
> 

> -A INPUT -i lo -j ACCEPT
> 

> -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT # SSH running there
> 

> -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to ORPort 

> 

> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to DIRPort 

> 

> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all already established incoming connections
> 

> -A OUTPUT -o lo -j ACCEPT # allow all outgoing connections
> 

> -A OUTPUT -o eth0 -j ACCEPT

> My ip6tables:
> 

> -P INPUT DROP
> 

> -P FORWARD DROP
> 

> -P OUTPUT DROP
> 

> -N ICMPv6_IN
> 

> -N ICMPv6_OUT
> 

> -A INPUT -i lo -j ACCEPT
> 

> -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT # SSH running there
> 

> -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to ORPort
> 

> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to DIRPort
> 

> -A INPUT -p ipv6-icmp -j ICMPv6_IN #pass all icmpv6 related traffic to new chain
> 

> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all already established incoming connections
> 

> -A OUTPUT -o lo -j ACCEPT
> 

> -A OUTPUT -p ipv6-icmp -j ICMPv6_OUT #pass all icmpv6 related traffic to new chain
> 

> -A OUTPUT -o eth0 -j ACCEPT # allow all outgoing connections
> 

> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
> 

> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
> 

> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
> 

> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
> 

> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
> 

> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
> 

> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
> 

> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
> 

> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
> 

> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
> 

> -A ICMPv6_IN -j DROP
> 

> -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
> 

> -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
> 

> -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
> 

> -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
> 

> -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
> 

> -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
> 

> -A ICMPv6_OUT -j DROP

Thank you all for any replies!

Have a nice day.

Bye
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20220125/ff1ff60d/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20220125/ff1ff60d/attachment-0001.sig>