[tor-talk] tor setup on wt3020h with openwrt problem
Michal Zuber
michael at riseup.net
Tue Dec 30 06:36:14 UTC 2014
Did you try diasbling the firewall and trying without it?
On 12/29/14 7:45 PM, Oğuz Yarımtepe wrote:
> Hi,
>
> On Mon, Dec 29, 2014 at 9:00 AM, Michal Zuber <michael at riseup.net> wrote:
>
>> Hi,
>> 1. what about the logs?
>>
>
>> 2. I have the following in my iptables.rules to be notified what was
>> blocked
>> -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
>> --log-level 7
>>
>>
> I added this to firewall.user and saw that UDP messages are somehow blocked.
>
> [ 2539.100000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
> DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=38735 DF PROTO=UDP
> SPT=48397 DPT=9053 LEN=46
> [ 2550.550000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
> DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=40926 DF PROTO=UDP
> SPT=47905 DPT=9053 LEN=50
> [ 2563.880000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
> DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=43508 DF PROTO=UDP
> SPT=37506 DPT=9053 LEN=44
> [ 2574.950000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
> DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=54347 DF PROTO=UDP
> SPT=28425 DPT=9053 LEN=50
> [ 2586.200000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
> DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=46793 DF PROTO=UDP
> SPT=37394 DPT=9053 LEN=46
> [ 2598.680000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
> DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=48473 DF PROTO=UDP
> SPT=57058 DPT=9053 LEN=44
> [ 2611.290000] iptables denied: IN=wlan0 OUT=
> MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
> DST=192.168.2.1 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=58998 DF PROTO=UDP
> SPT=58128 DPT=9053 LEN=48
>
>
>
>
>
>
>> 3. `netstat -nat |grep :53` or `lsof -i :53` shows listening on port 53 ? (
>> https://www.debian-administration.org/article/184/How_to_find_out_which_
>> process_is_listening_upon_a_port)
>> 4. Did you try host (dig, nslookup) on the router?
>> 5. Doest `dig @ROUTER_IP google.com` work?
>> 6. You could also try watch into the DNS traffic with ` tcpdump -vvv -s 0
>> -l -n port 53` (http://jontai.me/blog/2011/11/monitoring-dns-queries-
>> with-tcpdump/)
>
>
> route -n was strange
>
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
> br-lan
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
> wlan0
>
> netstat -pantu says the ports are right
>
> netstat -pantu
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State PID/Program name
> tcp 0 0 192.168.2.1:9040 0.0.0.0:*
> LISTEN 734/tor
> tcp 0 0 0.0.0.0:80 0.0.0.0:*
> LISTEN 756/uhttpd
> tcp 0 0 0.0.0.0:53 0.0.0.0:*
> LISTEN 1059/dnsmasq
> tcp 0 0 0.0.0.0:22 0.0.0.0:*
> LISTEN 699/dropbear
> tcp 0 0 0.0.0.0:443 0.0.0.0:*
> LISTEN 734/tor
> tcp 0 248 192.168.2.1:22 192.168.2.171:44694
> ESTABLISHED 1062/dropbear
> tcp 0 0 :::80 :::*
> LISTEN 756/uhttpd
> tcp 0 0 :::53 :::*
> LISTEN 1059/dnsmasq
> tcp 0 0 :::22 :::*
> LISTEN 699/dropbear
> udp 0 0 0.0.0.0:53 0.0.0.0:*
> 1059/dnsmasq
> udp 0 0 0.0.0.0:67 0.0.0.0:*
> 1059/dnsmasq
> udp 0 0 192.168.2.1:9053 0.0.0.0:*
> 734/tor
> udp 0 0 :::546
> :::* 812/odhcp6c
> udp 0 0 :::547
> :::* 669/odhcpd
> udp 0 0 :::53
> :::* 1059/dnsmasq
> ~
>
> here is iptables -L
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> delegate_input all -- anywhere anywhere
> LOG all -- anywhere anywhere limit: avg
> 5/min burst 5 LOG level debug prefix "iptables denied: "
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> delegate_forward all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> delegate_output all -- anywhere anywhere
>
> Chain delegate_forward (1 references)
> target prot opt source destination
> forwarding_rule all -- anywhere anywhere /* user
> chain for forwarding */
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED
> zone_lan_forward all -- anywhere anywhere
> zone_wan_forward all -- anywhere anywhere
> reject all -- anywhere anywhere
>
> Chain delegate_input (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> input_rule all -- anywhere anywhere /* user
> chain for input */
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED
> syn_flood tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,ACK/SYN
> zone_lan_input all -- anywhere anywhere
> zone_wan_input all -- anywhere anywhere
>
> Chain delegate_output (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> output_rule all -- anywhere anywhere /* user
> chain for output */
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED
> zone_lan_output all -- anywhere anywhere
> zone_wan_output all -- anywhere anywhere
>
> Chain forwarding_lan_rule (1 references)
> target prot opt source destination
>
> Chain forwarding_rule (1 references)
> target prot opt source destination
>
> Chain forwarding_transtor_rule (1 references)
> target prot opt source destination
>
> Chain forwarding_wan_rule (1 references)
> target prot opt source destination
>
> Chain input_lan_rule (1 references)
> target prot opt source destination
>
> Chain input_rule (1 references)
> target prot opt source destination
>
> Chain input_transtor_rule (1 references)
> target prot opt source destination
>
> Chain input_wan_rule (1 references)
> target prot opt source destination
>
> Chain output_lan_rule (1 references)
> target prot opt source destination
>
> Chain output_rule (1 references)
> target prot opt source destination
>
> Chain output_transtor_rule (1 references)
> target prot opt source destination
>
> Chain output_wan_rule (1 references)
> target prot opt source destination
>
> Chain reject (3 references)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere reject-with
> tcp-reset
> REJECT all -- anywhere anywhere reject-with
> icmp-port-unreachable
>
> Chain syn_flood (1 references)
> target prot opt source destination
> RETURN tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
> DROP all -- anywhere anywhere
>
> Chain zone_lan_dest_ACCEPT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain zone_lan_forward (1 references)
> target prot opt source destination
> forwarding_lan_rule all -- anywhere anywhere /*
> user chain for forwarding */
> ACCEPT all -- anywhere anywhere ctstate DNAT
> /* Accept port forwards */
> zone_lan_dest_ACCEPT all -- anywhere anywhere
>
> Chain zone_lan_input (1 references)
> target prot opt source destination
> input_lan_rule all -- anywhere anywhere /* user
> chain for input */
> ACCEPT all -- anywhere anywhere ctstate DNAT
> /* Accept port redirections */
> zone_lan_src_ACCEPT all -- anywhere anywhere
>
> Chain zone_lan_output (1 references)
> target prot opt source destination
> output_lan_rule all -- anywhere anywhere /* user
> chain for output */
> zone_lan_dest_ACCEPT all -- anywhere anywhere
>
> Chain zone_lan_src_ACCEPT (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain zone_transtor_dest_ACCEPT (1 references)
> target prot opt source destination
>
> Chain zone_transtor_dest_REJECT (1 references)
> target prot opt source destination
>
> Chain zone_transtor_forward (0 references)
> target prot opt source destination
> forwarding_transtor_rule all -- anywhere
> anywhere /* user chain for forwarding */
> ACCEPT all -- anywhere anywhere ctstate DNAT
> /* Accept port forwards */
> zone_transtor_dest_REJECT all -- anywhere
> anywhere
>
> Chain zone_transtor_input (0 references)
> target prot opt source destination
> input_transtor_rule all -- anywhere anywhere /*
> user chain for input */
> ACCEPT udp -- anywhere anywhere udp
> dpt:bootps /* Allow-Tor-DHCP */
> ACCEPT tcp -- anywhere anywhere tcp dpt:9040
> /* Allow-Tor-Transparent */
> ACCEPT udp -- anywhere anywhere udp dpt:9053
> /* Allow-Tor-DNS */
> ACCEPT all -- anywhere anywhere ctstate DNAT
> /* Accept port redirections */
> zone_transtor_src_REJECT all -- anywhere anywhere
>
> Chain zone_transtor_output (0 references)
> target prot opt source destination
> output_transtor_rule all -- anywhere anywhere /*
> user chain for output */
> zone_transtor_dest_ACCEPT all -- anywhere
> anywhere
>
> Chain zone_transtor_src_REJECT (1 references)
> target prot opt source destination
>
> Chain zone_wan_dest_ACCEPT (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain zone_wan_dest_REJECT (1 references)
> target prot opt source destination
> reject all -- anywhere anywhere
>
> Chain zone_wan_forward (1 references)
> target prot opt source destination
> forwarding_wan_rule all -- anywhere anywhere /*
> user chain for forwarding */
> ACCEPT all -- anywhere anywhere ctstate DNAT
> /* Accept port forwards */
> zone_wan_dest_REJECT all -- anywhere anywhere
>
> Chain zone_wan_input (1 references)
> target prot opt source destination
> input_wan_rule all -- anywhere anywhere /* user
> chain for input */
> ACCEPT udp -- anywhere anywhere udp
> dpt:bootpc /* Allow-DHCP-Renew */
> ACCEPT icmp -- anywhere anywhere icmp
> echo-request /* Allow-Ping */
> ACCEPT tcp -- anywhere anywhere tcp dpt:https
> /* @rule[5] */
> ACCEPT all -- anywhere anywhere ctstate DNAT
> /* Accept port redirections */
> zone_wan_src_REJECT all -- anywhere anywhere
>
> Chain zone_wan_output (1 references)
> target prot opt source destination
> output_wan_rule all -- anywhere anywhere /* user
> chain for output */
> zone_wan_dest_ACCEPT all -- anywhere anywhere
>
> Chain zone_wan_src_REJECT (1 references)
> target prot opt source destination
> reject all -- anywhere anywhere
>
>
> I started to lost my Internet connection for other adsl users. When they
> connected to normal adsl ssid while the tor router is plugged, they started
> to lost connection.
>
> Seems there is a firewall or network problem.
>
> Anyone can figure it out?
More information about the tor-talk
mailing list