[tor-relays] wrong iptables rules? / no inbound traffic in nyx
lists at for-privacy.net
lists at for-privacy.net
Wed Jan 26 23:13:32 UTC 2022
On Tuesday, January 25, 2022 10:54:00 PM CET ax8eaz7z3g via tor-relays wrote:
> Hi!
>
> I noticed that after I have set up my ip(+6)tables up to filter unwanted
> incoming traffic all "inbound" and "directory" connections in nyx
> disappeared, only lot of "outbound" connections are there.
>
> I am running exit relay (IPv4+IPv6) on ORPort 443 and DIRPort 80.
>
> Is there someone willing to check my iptable rules? I am starting to lose
> it...
> > My iptables:
> > -P INPUT DROP
> >
> >
> > -P FORWARD DROP
> >
> >
> > -P OUTPUT DROP
??
why block outgoing traffic?
> >
> > -A INPUT -i lo -j ACCEPT
> >
> >
> > -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22
> > -j ACCEPT # SSH running there
> >
> >
> > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to
> > ORPort
> >
> >
> >
> > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to
> > DIRPort
> >
> >
> >
> > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all
> > already established incoming connections
> >
> >
> > -A OUTPUT -o lo -j ACCEPT # allow all outgoing connections
??
> >
> > -A OUTPUT -o eth0 -j ACCEPT
??
> > My ip6tables:
> >
> >
> > -P INPUT DROP
> >
> >
> > -P FORWARD DROP
> >
> >
> > -P OUTPUT DROP
??
Again, why block outgoing traffic?
Don't you trust yourself or your own server ;-)
> >
> > -N ICMPv6_IN
> >
> >
> > -N ICMPv6_OUT
??
> >
> > -A INPUT -i lo -j ACCEPT
> >
> >
> > -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22
> > -j ACCEPT # SSH running there
> >
> >
> > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to
> > ORPort
> >
> >
> > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to
> > DIRPort
> >
> >
> > -A INPUT -p ipv6-icmp -j ICMPv6_IN #pass all icmpv6 related traffic to new
> > chain
> >
> >
> > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all
> > already established incoming connections
> >
> >
> > -A OUTPUT -o lo -j ACCEPT
??
> >
> > -A OUTPUT -p ipv6-icmp -j ICMPv6_OUT #pass all icmpv6 related traffic to
> > new chain
??
> >
> > -A OUTPUT -o eth0 -j ACCEPT # allow all outgoing connections
??
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -j DROP
> >
> >
> > -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
??
> >
> > -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
??
> >
> > -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
??
> >
> > -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
??
> >
> > -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
??
> >
> > -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
??
> >
> > -A ICMPv6_OUT -j DROP
??
I just skimmed the rest of the rules. Very confusing in emails. Please use
pastbin. All outbound rules are unnecessary and undesirable on Tor relays!
My working example rules:
https://github.com/boldsuck/tor-relay-bootstrap/tree/master/etc/iptables
--
╰_╯ Ciao Marco!
Debian GNU/Linux
It's free software and it gives you freedom!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20220127/31e54d9d/attachment.sig>
More information about the tor-relays
mailing list