[tor-talk] tor setup on wt3020h with openwrt problem

Michal Zuber michael at riseup.net
Tue Dec 30 06:36:14 UTC 2014


Did you try diasbling the firewall and trying without it?

On 12/29/14 7:45 PM, Oğuz Yarımtepe wrote:
> Hi,
>
> On Mon, Dec 29, 2014 at 9:00 AM, Michal Zuber <michael at riseup.net> wrote:
>
>> Hi,
>> 1. what about the logs?
>>
>
>> 2. I have the following in my iptables.rules to be notified what was
>> blocked
>> -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
>> --log-level 7
>>
>>
> I added this to firewall.user and saw that UDP messages are somehow blocked.
>
> [ 2539.100000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
> DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=38735 DF PROTO=UDP
> SPT=48397 DPT=9053 LEN=46
> [ 2550.550000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
> DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=40926 DF PROTO=UDP
> SPT=47905 DPT=9053 LEN=50
> [ 2563.880000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
> DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=43508 DF PROTO=UDP
> SPT=37506 DPT=9053 LEN=44
> [ 2574.950000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
> DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=54347 DF PROTO=UDP
> SPT=28425 DPT=9053 LEN=50
> [ 2586.200000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
> DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=46793 DF PROTO=UDP
> SPT=37394 DPT=9053 LEN=46
> [ 2598.680000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
> DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=48473 DF PROTO=UDP
> SPT=57058 DPT=9053 LEN=44
> [ 2611.290000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
> DST=192.168.2.1 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=58998 DF PROTO=UDP
> SPT=58128 DPT=9053 LEN=48
>
>
>
>
>
>
>> 3. `netstat -nat |grep :53` or `lsof -i :53` shows listening on port 53 ? (
>> https://www.debian-administration.org/article/184/How_to_find_out_which_
>> process_is_listening_upon_a_port)
>> 4. Did you try host (dig, nslookup) on the router?
>> 5. Doest `dig @ROUTER_IP google.com` work?
>> 6. You could also try watch into the DNS traffic with ` tcpdump -vvv -s 0
>> -l -n port 53` (http://jontai.me/blog/2011/11/monitoring-dns-queries-
>> with-tcpdump/)
>
>
> route -n was strange
>
> # route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
> br-lan
> 192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0
> wlan0
>
> netstat -pantu says the ports are right
>
>   netstat -pantu
>   Active Internet connections (servers and established)
>   Proto Recv-Q Send-Q Local Address           Foreign Address
> State       PID/Program name
>   tcp        0      0 192.168.2.1:9040        0.0.0.0:*
> LISTEN      734/tor
>   tcp        0      0 0.0.0.0:80              0.0.0.0:*
> LISTEN      756/uhttpd
>   tcp        0      0 0.0.0.0:53              0.0.0.0:*
> LISTEN      1059/dnsmasq
>   tcp        0      0 0.0.0.0:22              0.0.0.0:*
> LISTEN      699/dropbear
>   tcp        0      0 0.0.0.0:443             0.0.0.0:*
> LISTEN      734/tor
>   tcp        0    248 192.168.2.1:22          192.168.2.171:44694
> ESTABLISHED 1062/dropbear
>   tcp        0      0 :::80                   :::*
> LISTEN      756/uhttpd
>   tcp        0      0 :::53                   :::*
> LISTEN      1059/dnsmasq
>   tcp        0      0 :::22                   :::*
> LISTEN      699/dropbear
>   udp        0      0 0.0.0.0:53              0.0.0.0:*
> 1059/dnsmasq
>   udp        0      0 0.0.0.0:67              0.0.0.0:*
> 1059/dnsmasq
>   udp        0      0 192.168.2.1:9053        0.0.0.0:*
> 734/tor
>   udp        0      0 :::546
> :::*                                812/odhcp6c
>   udp        0      0 :::547
> :::*                                669/odhcpd
>   udp        0      0 :::53
> :::*                                1059/dnsmasq
> ~
>
> here is iptables -L
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> delegate_input  all  --  anywhere             anywhere
> LOG        all  --  anywhere             anywhere             limit: avg
> 5/min burst 5 LOG level debug prefix "iptables denied: "
>
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> delegate_forward  all  --  anywhere             anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> delegate_output  all  --  anywhere             anywhere
>
> Chain delegate_forward (1 references)
> target     prot opt source               destination
> forwarding_rule  all  --  anywhere             anywhere             /* user
> chain for forwarding */
> ACCEPT     all  --  anywhere             anywhere             ctstate
> RELATED,ESTABLISHED
> zone_lan_forward  all  --  anywhere             anywhere
> zone_wan_forward  all  --  anywhere             anywhere
> reject     all  --  anywhere             anywhere
>
> Chain delegate_input (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> input_rule  all  --  anywhere             anywhere             /* user
> chain for input */
> ACCEPT     all  --  anywhere             anywhere             ctstate
> RELATED,ESTABLISHED
> syn_flood  tcp  --  anywhere             anywhere             tcp
> flags:FIN,SYN,RST,ACK/SYN
> zone_lan_input  all  --  anywhere             anywhere
> zone_wan_input  all  --  anywhere             anywhere
>
> Chain delegate_output (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> output_rule  all  --  anywhere             anywhere             /* user
> chain for output */
> ACCEPT     all  --  anywhere             anywhere             ctstate
> RELATED,ESTABLISHED
> zone_lan_output  all  --  anywhere             anywhere
> zone_wan_output  all  --  anywhere             anywhere
>
> Chain forwarding_lan_rule (1 references)
> target     prot opt source               destination
>
> Chain forwarding_rule (1 references)
> target     prot opt source               destination
>
> Chain forwarding_transtor_rule (1 references)
> target     prot opt source               destination
>
> Chain forwarding_wan_rule (1 references)
> target     prot opt source               destination
>
> Chain input_lan_rule (1 references)
> target     prot opt source               destination
>
> Chain input_rule (1 references)
> target     prot opt source               destination
>
> Chain input_transtor_rule (1 references)
> target     prot opt source               destination
>
> Chain input_wan_rule (1 references)
> target     prot opt source               destination
>
> Chain output_lan_rule (1 references)
> target     prot opt source               destination
>
> Chain output_rule (1 references)
> target     prot opt source               destination
>
> Chain output_transtor_rule (1 references)
> target     prot opt source               destination
>
> Chain output_wan_rule (1 references)
> target     prot opt source               destination
>
> Chain reject (3 references)
> target     prot opt source               destination
> REJECT     tcp  --  anywhere             anywhere             reject-with
> tcp-reset
> REJECT     all  --  anywhere             anywhere             reject-with
> icmp-port-unreachable
>
> Chain syn_flood (1 references)
> target     prot opt source               destination
> RETURN     tcp  --  anywhere             anywhere             tcp
> flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
> DROP       all  --  anywhere             anywhere
>
> Chain zone_lan_dest_ACCEPT (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
>
> Chain zone_lan_forward (1 references)
> target     prot opt source               destination
> forwarding_lan_rule  all  --  anywhere             anywhere             /*
> user chain for forwarding */
> ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
> /* Accept port forwards */
> zone_lan_dest_ACCEPT  all  --  anywhere             anywhere
>
> Chain zone_lan_input (1 references)
> target     prot opt source               destination
> input_lan_rule  all  --  anywhere             anywhere             /* user
> chain for input */
> ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
> /* Accept port redirections */
> zone_lan_src_ACCEPT  all  --  anywhere             anywhere
>
> Chain zone_lan_output (1 references)
> target     prot opt source               destination
> output_lan_rule  all  --  anywhere             anywhere             /* user
> chain for output */
> zone_lan_dest_ACCEPT  all  --  anywhere             anywhere
>
> Chain zone_lan_src_ACCEPT (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
>
> Chain zone_transtor_dest_ACCEPT (1 references)
> target     prot opt source               destination
>
> Chain zone_transtor_dest_REJECT (1 references)
> target     prot opt source               destination
>
> Chain zone_transtor_forward (0 references)
> target     prot opt source               destination
> forwarding_transtor_rule  all  --  anywhere
> anywhere             /* user chain for forwarding */
> ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
> /* Accept port forwards */
> zone_transtor_dest_REJECT  all  --  anywhere
> anywhere
>
> Chain zone_transtor_input (0 references)
> target     prot opt source               destination
> input_transtor_rule  all  --  anywhere             anywhere             /*
> user chain for input */
> ACCEPT     udp  --  anywhere             anywhere             udp
> dpt:bootps /* Allow-Tor-DHCP */
> ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9040
> /* Allow-Tor-Transparent */
> ACCEPT     udp  --  anywhere             anywhere             udp dpt:9053
> /* Allow-Tor-DNS */
> ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
> /* Accept port redirections */
> zone_transtor_src_REJECT  all  --  anywhere             anywhere
>
> Chain zone_transtor_output (0 references)
> target     prot opt source               destination
> output_transtor_rule  all  --  anywhere             anywhere             /*
> user chain for output */
> zone_transtor_dest_ACCEPT  all  --  anywhere
> anywhere
>
> Chain zone_transtor_src_REJECT (1 references)
> target     prot opt source               destination
>
> Chain zone_wan_dest_ACCEPT (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
>
> Chain zone_wan_dest_REJECT (1 references)
> target     prot opt source               destination
> reject     all  --  anywhere             anywhere
>
> Chain zone_wan_forward (1 references)
> target     prot opt source               destination
> forwarding_wan_rule  all  --  anywhere             anywhere             /*
> user chain for forwarding */
> ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
> /* Accept port forwards */
> zone_wan_dest_REJECT  all  --  anywhere             anywhere
>
> Chain zone_wan_input (1 references)
> target     prot opt source               destination
> input_wan_rule  all  --  anywhere             anywhere             /* user
> chain for input */
> ACCEPT     udp  --  anywhere             anywhere             udp
> dpt:bootpc /* Allow-DHCP-Renew */
> ACCEPT     icmp --  anywhere             anywhere             icmp
> echo-request /* Allow-Ping */
> ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
> /* @rule[5] */
> ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
> /* Accept port redirections */
> zone_wan_src_REJECT  all  --  anywhere             anywhere
>
> Chain zone_wan_output (1 references)
> target     prot opt source               destination
> output_wan_rule  all  --  anywhere             anywhere             /* user
> chain for output */
> zone_wan_dest_ACCEPT  all  --  anywhere             anywhere
>
> Chain zone_wan_src_REJECT (1 references)
> target     prot opt source               destination
> reject     all  --  anywhere             anywhere
>
>
> I started to lost my Internet connection for other adsl users. When they
> connected to normal adsl ssid while the tor router is plugged, they started
> to lost connection.
>
> Seems there is a firewall or network problem.
>
> Anyone can figure it out?



More information about the tor-talk mailing list