[tor-relays] DDOS mitigation with nftables

Chris Enkidu-6 tor at wcbsecurity.com
Tue Oct 22 20:25:46 UTC 2024


Hi

What OS?

What is the result when you type iptables -V and ipset -v ?

The script will check the OS and if it doesn't come with ipset installed
by default, it will install it before running any rules and in Ubuntu
and Debian, installing ipset automatically installs iptables as well.

If you get an error even though you have iptables, then there must be
another problem. Are you running the script as root? I'm running the
same script on Almalinux 9+ which comes with nftables and firewalld by
default and with no problem.

Regards,

Enkidu-6

On 10/22/2024 1:24 PM, Top wrote:
> Hi all,
>
>
> My tor relays[1] traffic decreased a lot and I think this *might* be
> connected to some kind of DDOS attack.
> So I wanted to use this situation to set up some DDOS protection.
> For that I stumbled upon Enkidus tor DDOS mitigation script. [2]
> However, this script is made for `iptables`, not `nftables`.
> I use `firewalld` with `nftables` on my system, since this seems to be
> the new default. [3]
> I don't really know that much about firewalls, so this situation
> overwhelms me a bit.
> In the README of Enkidus rules it says:
>
> > Practically all linux systems come with iptables or more recently
> with  nftables which basically does the same and more. So you won't
> need to install iptables. Just type iptables -V . If you see a
> version, you have it. The same with ipset . An ipset -v will do the
> job. In some rare cases you may not have ipset installed and
> installing it is as simple as apt-get ipset or yum install ipset or...
>
> This seems to imply that the script should work fine with `nftables`
> as well.
> This is also what Enkidu seems to state in a relevant gitlab issue: [4]
>
> > nftables interprets all the iptables rules just fine so the provided
> scripts will work regardless of which one you have.
>
> But it's not true!
> The script failed on my server, complaining that the `iptables`
> command couldn't be found (and no rules had been applied).
>
> So how can I apply proper DDOS protection firewall rules whilst using
> `nftables`?
> Is there some easy way to modify the script to make it work?
>
>
> Kind regards
> Top
>
>
> [1]: https://metrics.torproject.org/rs.html#search/toptor
> [2]: https://github.com/Enkidu-6/tor-ddos
> [3]: https://wiki.debian.org/nftables
> [4]: https://gitlab.torproject.org/tpo/community/support/-/issues/40093
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20241022/a02446d2/attachment-0001.htm>


More information about the tor-relays mailing list