[tor-relays] DDOS mitigation with nftables

Top s8pn910sokiig0cc76bl2qud at systemli.org
Wed Oct 23 08:40:02 UTC 2024


Hi,

thanks for the replies! I'm gonna answer a few questions.
Regarding Enkidu:
- I use Debian
- `iptables -V` says `-bash: iptables: command not found`
- `ipset -v` says `ipset v7.17, protocol version: 7`
- I'm running Debian but the installation of `ipset` did not install 
`iptables`
- I am running the script with root
- Besides, I don't *want* to use `iptables` and `nftables` - so I don't 
even want `iptables` to be installed

Regarding boldsuck:
Thanks for the information!
I might try to adapt your example to my situation.
I do not have an exit but two guards.

Regarding Ralph:
- The logs basically keep repeating that `iptables` could not be found. 
For example:
```
./rules.sh: line 3: iptables-save: command not found
./rules.sh: line 4: ip6tables-save: command not found
./rules.sh: line 6: iptables: command not found
./rules.sh: line 7: ip6tables: command not found
```
- I don't think my PATH is my problem, since I really don't have (nor 
want) `iptables` installed
- I can't lock myself out since I can always access the server directly 
without `ssh`. Thanks for the warning though

Regarding tor-relays+tor-relays:
- Interesting that anti-DDoS is now integrated!
- The `iptables-nft` package does not exist on my machine since I run Debian

Kind regards
Top

On 23/10/2024 04:49, tor-relays+tor-relays at queer.cat wrote:
> 
> 
> On 22/10/24 14:24, Top wrote:
>> Hi all,
>>
>>
>> My tor relays[1] traffic decreased a lot and I think this *might* be 
>> connected to some kind of DDOS attack.
>> So I wanted to use this situation to set up some DDOS protection.
>> For that I stumbled upon Enkidus tor DDOS mitigation script. [2]
> 
> I believe that the mitigations found in the community-maintained 
> anti-DDoS scripts, such as limiting the number of open connections from 
> a single IP, are now integrated into tor itself.
> 
>> However, this script is made for `iptables`, not `nftables`.
>> I use `firewalld` with `nftables` on my system, since this seems to be 
>> the new default. [3]
>> I don't really know that much about firewalls, so this situation 
>> overwhelms me a bit.
>> In the README of Enkidus rules it says:
>>
>>  > Practically all linux systems come with iptables or more recently 
>> with  nftables which basically does the same and more. So you won't 
>> need to install iptables. Just type iptables -V . If you see a 
>> version, you have it. The same with ipset . An ipset -v will do the 
>> job. In some rare cases you may not have ipset installed and 
>> installing it is as simple as apt-get ipset or yum install ipset or...
> 
> You may want to consider installing the iptables-nft package, which 
> offers a compatibility layer for iptables on Fedora/CentOS.
> 
>>
>> This seems to imply that the script should work fine with `nftables` 
>> as well.
>> This is also what Enkidu seems to state in a relevant gitlab issue: [4]
>>
>>  > nftables interprets all the iptables rules just fine so the 
>> provided scripts will work regardless of which one you have.
>>
>> But it's not true!
>> The script failed on my server, complaining that the `iptables` 
>> command couldn't be found (and no rules had been applied).
>>
>> So how can I apply proper DDOS protection firewall rules whilst using 
>> `nftables`?
>> Is there some easy way to modify the script to make it work?
>>
>>
>> Kind regards
>> Top
>>
>>
>> [1]: https://metrics.torproject.org/rs.html#search/toptor
>> [2]: https://github.com/Enkidu-6/tor-ddos
>> [3]: https://wiki.debian.org/nftables
>> [4]: https://gitlab.torproject.org/tpo/community/support/-/issues/40093
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


More information about the tor-relays mailing list