[tor-talk] Tor and firewall output rules
Anton Korec
anton.korec at tritony.org
Thu Jun 28 15:44:25 UTC 2012
Hi,
I'm new to this list, so I apologise when my problem has been solved already.
I'm runing new tor router as a non-exit relay, with ORPort 443 and DirPort 80.
Server is running on Debian stable and tor version is 0.2.2.35. Tor is running
under debian-tor user. I have restrictive iptables firewall rules (in both
directions, INPUT and OUTPUT). I do not like fw rules of type "all outgoing is
allowed". So I set fw up as found somewhere on torproject.org wiki, with
"-m owner --uid-owner debian-tor":
IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP
...
...
IPTABLES -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 --sport 1024: -d ${MYIP} --dport
443 -m state --state NEW,ESTABLISHED -j ACCEPT
IPTABLES -A OUTPUT -o eth0 -p tcp -s ${MYIP} -d 0.0.0.0/0 -m state --state
NEW,ESTABLISHED -m owner --uid-owner debian-tor -j ACCEPT
In such configuration fw has been dropping large numbers of packets with uid 0
and packets with no uid set. And it seems that there was almost no tor traffic
on relay. So I changed OUTPUT rule to:
IPTABLES -A OUTPUT -o eth0 -p tcp -s ${MYIP} -d 0.0.0.0/0 -m state --state
NEW,ESTABLISHED -j ACCEPT
and everything worked fine.
I tried to use 0.2.2.37, 0.2.3.17-beta precompiled deb packages, tried to
compile from source downloaded from torproject.org, but packet dropping was
the same on every version of tor.
Last thing I did, was update fw rules to:
IPTABLES -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 --sport 1024: -d ${MYIP} --dport
443 -m state --state NEW,ESTABLISHED -j ACCEPT
IPTABLES -A OUTPUT -o eth0 -p tcp -s ${MYIP} -d 0.0.0.0/0 -m state --state
NEW,ESTABLISHED -m owner --uid-owner debian-tor -j ACCEPT
IPTABLES -A OUTPUT -o eth0 -p tcp -s ${MYIP} -d 0.0.0.0/0 -m state --state
NEW,ESTABLISHED -j ACCEPT
to count packets traversing each OUTPUT rule (with and without uid to "debian-
tor" set). 22% of all packets (it is 11% of bytes of that traffic) sent by tor
relay was uid not set to "debian-tor".
Why is tor sending packets with uid not set to "debian-tor"?
Regards
Tony
More information about the tor-talk
mailing list