[tor-relays] DDOS mitigation with nftables

Top s8pn910sokiig0cc76bl2qud at systemli.org
Tue Oct 22 17:24:29 UTC 2024


Hi all,


My tor relays[1] traffic decreased a lot and I think this *might* be 
connected to some kind of DDOS attack.
So I wanted to use this situation to set up some DDOS protection.
For that I stumbled upon Enkidus tor DDOS mitigation script. [2]
However, this script is made for `iptables`, not `nftables`.
I use `firewalld` with `nftables` on my system, since this seems to be 
the new default. [3]
I don't really know that much about firewalls, so this situation 
overwhelms me a bit.
In the README of Enkidus rules it says:

 > Practically all linux systems come with iptables or more recently 
with  nftables which basically does the same and more. So you won't need 
to install iptables. Just type iptables -V . If you see a version, you 
have it. The same with ipset . An ipset -v will do the job. In some rare 
cases you may not have ipset installed and installing it is as simple as 
apt-get ipset or yum install ipset or...

This seems to imply that the script should work fine with `nftables` as 
well.
This is also what Enkidu seems to state in a relevant gitlab issue: [4]

 > nftables interprets all the iptables rules just fine so the provided 
scripts will work regardless of which one you have.

But it's not true!
The script failed on my server, complaining that the `iptables` command 
couldn't be found (and no rules had been applied).

So how can I apply proper DDOS protection firewall rules whilst using 
`nftables`?
Is there some easy way to modify the script to make it work?


Kind regards
Top


[1]: https://metrics.torproject.org/rs.html#search/toptor
[2]: https://github.com/Enkidu-6/tor-ddos
[3]: https://wiki.debian.org/nftables
[4]: https://gitlab.torproject.org/tpo/community/support/-/issues/40093


More information about the tor-relays mailing list