[tor-relays] DDOS mitigation with nftables
Top
s8pn910sokiig0cc76bl2qud at systemli.org
Wed Oct 23 08:40:02 UTC 2024
Hi,
thanks for the replies! I'm gonna answer a few questions.
Regarding Enkidu:
- I use Debian
- `iptables -V` says `-bash: iptables: command not found`
- `ipset -v` says `ipset v7.17, protocol version: 7`
- I'm running Debian but the installation of `ipset` did not install
`iptables`
- I am running the script with root
- Besides, I don't *want* to use `iptables` and `nftables` - so I don't
even want `iptables` to be installed
Regarding boldsuck:
Thanks for the information!
I might try to adapt your example to my situation.
I do not have an exit but two guards.
Regarding Ralph:
- The logs basically keep repeating that `iptables` could not be found.
For example:
```
./rules.sh: line 3: iptables-save: command not found
./rules.sh: line 4: ip6tables-save: command not found
./rules.sh: line 6: iptables: command not found
./rules.sh: line 7: ip6tables: command not found
```
- I don't think my PATH is my problem, since I really don't have (nor
want) `iptables` installed
- I can't lock myself out since I can always access the server directly
without `ssh`. Thanks for the warning though
Regarding tor-relays+tor-relays:
- Interesting that anti-DDoS is now integrated!
- The `iptables-nft` package does not exist on my machine since I run Debian
Kind regards
Top
On 23/10/2024 04:49, tor-relays+tor-relays at queer.cat wrote:
>
>
> On 22/10/24 14:24, Top wrote:
>> Hi all,
>>
>>
>> My tor relays[1] traffic decreased a lot and I think this *might* be
>> connected to some kind of DDOS attack.
>> So I wanted to use this situation to set up some DDOS protection.
>> For that I stumbled upon Enkidus tor DDOS mitigation script. [2]
>
> I believe that the mitigations found in the community-maintained
> anti-DDoS scripts, such as limiting the number of open connections from
> a single IP, are now integrated into tor itself.
>
>> However, this script is made for `iptables`, not `nftables`.
>> I use `firewalld` with `nftables` on my system, since this seems to be
>> the new default. [3]
>> I don't really know that much about firewalls, so this situation
>> overwhelms me a bit.
>> In the README of Enkidus rules it says:
>>
>> > Practically all linux systems come with iptables or more recently
>> with nftables which basically does the same and more. So you won't
>> need to install iptables. Just type iptables -V . If you see a
>> version, you have it. The same with ipset . An ipset -v will do the
>> job. In some rare cases you may not have ipset installed and
>> installing it is as simple as apt-get ipset or yum install ipset or...
>
> You may want to consider installing the iptables-nft package, which
> offers a compatibility layer for iptables on Fedora/CentOS.
>
>>
>> This seems to imply that the script should work fine with `nftables`
>> as well.
>> This is also what Enkidu seems to state in a relevant gitlab issue: [4]
>>
>> > nftables interprets all the iptables rules just fine so the
>> provided scripts will work regardless of which one you have.
>>
>> But it's not true!
>> The script failed on my server, complaining that the `iptables`
>> command couldn't be found (and no rules had been applied).
>>
>> So how can I apply proper DDOS protection firewall rules whilst using
>> `nftables`?
>> Is there some easy way to modify the script to make it work?
>>
>>
>> Kind regards
>> Top
>>
>>
>> [1]: https://metrics.torproject.org/rs.html#search/toptor
>> [2]: https://github.com/Enkidu-6/tor-ddos
>> [3]: https://wiki.debian.org/nftables
>> [4]: https://gitlab.torproject.org/tpo/community/support/-/issues/40093
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
More information about the tor-relays
mailing list