[tor-relays] DDOS mitigation with nftables
Top
s8pn910sokiig0cc76bl2qud at systemli.org
Tue Oct 22 17:24:29 UTC 2024
Hi all,
My tor relays[1] traffic decreased a lot and I think this *might* be
connected to some kind of DDOS attack.
So I wanted to use this situation to set up some DDOS protection.
For that I stumbled upon Enkidus tor DDOS mitigation script. [2]
However, this script is made for `iptables`, not `nftables`.
I use `firewalld` with `nftables` on my system, since this seems to be
the new default. [3]
I don't really know that much about firewalls, so this situation
overwhelms me a bit.
In the README of Enkidus rules it says:
> Practically all linux systems come with iptables or more recently
with nftables which basically does the same and more. So you won't need
to install iptables. Just type iptables -V . If you see a version, you
have it. The same with ipset . An ipset -v will do the job. In some rare
cases you may not have ipset installed and installing it is as simple as
apt-get ipset or yum install ipset or...
This seems to imply that the script should work fine with `nftables` as
well.
This is also what Enkidu seems to state in a relevant gitlab issue: [4]
> nftables interprets all the iptables rules just fine so the provided
scripts will work regardless of which one you have.
But it's not true!
The script failed on my server, complaining that the `iptables` command
couldn't be found (and no rules had been applied).
So how can I apply proper DDOS protection firewall rules whilst using
`nftables`?
Is there some easy way to modify the script to make it work?
Kind regards
Top
[1]: https://metrics.torproject.org/rs.html#search/toptor
[2]: https://github.com/Enkidu-6/tor-ddos
[3]: https://wiki.debian.org/nftables
[4]: https://gitlab.torproject.org/tpo/community/support/-/issues/40093
More information about the tor-relays
mailing list