[tor-talk] tor setup on wt3020h with openwrt problem
Oğuz Yarımtepe
oguzyarimtepe at gmail.com
Fri Jan 2 22:54:35 UTC 2015
I changed the firewall rules.
/etc/firewall.user
This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
#iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
denied: " --log-level 7
iptables -t nat -A PREROUTING -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT
--to-ports 9053
iptables -t nat -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
-j REDIRECT --to-ports 9040
#iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports
9040
/etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward ACCEPT
# Uncomment this line to disable ipv6 rules
option disable_ipv6 1
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name wan
list network 'wan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
option masq 1
option mtu_fix 1
config zone
option name transtor
option input ACCEPT
option output ACCEPT
option forward ACCEPT
#option syn_flood 1
option conntrack 1 #this setting is mandatory
# Allow Transparent clients the ability to DHCP an address
# XXX TODO: Audit this to ensure it doesn't leak UDP port 67 to the net!
config rule
option name 'Allow-Tor-DHCP'
option src transtor
option proto udp
option dest_port 67
option target ACCEPT
# Tor transparent-proxy-port (set in /etc/tor/torrc)
config rule
option name 'Allow-Tor-Transparent'
option src transtor
option proto tcp
option dest_port 9040
option target ACCEPT
# Tor DNS-proxy-port (set in /etc/tor/torrc)
config rule
option name 'Allow-Tor-DNS'
option src transtor
option proto udp
option dest_port 9053
option target ACCEPT
#config rule
# option name 'Allow-DHCP-Renew'
# option src 'transtor'
# option proto 'wan'
# option dest_port '68'
# option target 'ACCEPT'
# option family 'ipv4'
config forwarding
option src wan
option dst lan
config include
option path '/etc/firewall.user'
netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 192.168.2.1:9040 0.0.0.0:*
LISTEN 883/tor
tcp 0 0 127.0.0.1:9040 0.0.0.0:*
LISTEN 883/tor
tcp 0 0 0.0.0.0:80 0.0.0.0:*
LISTEN 911/uhttpd
tcp 0 0 0.0.0.0:53 0.0.0.0:*
LISTEN 1016/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 700/dropbear
tcp 0 0 192.168.2.1:9050 0.0.0.0:*
LISTEN 883/tor
tcp 0 0 192.168.2.1:9040 192.168.2.171:39140
ESTABLISHED 883/tor
tcp 0 0 192.168.1.104:56891 216.17.99.144:9001
ESTABLISHED 883/tor
tcp 0 0 192.168.2.1:9040 192.168.2.171:33555
ESTABLISHED 883/tor
tcp 0 0 192.168.1.104:55734 171.25.193.9:80
TIME_WAIT -
tcp 0 0 192.168.2.1:22 192.168.2.171:38308
ESTABLISHED 1147/dropbear
tcp 0 0 192.168.2.1:9040 192.168.2.171:53402
ESTABLISHED 883/tor
tcp 0 0 192.168.2.1:9040 192.168.2.171:39141
ESTABLISHED 883/tor
tcp 0 0 192.168.1.104:54953 154.35.32.5:443
TIME_WAIT -
tcp 0 0 192.168.1.104:51428 86.59.119.83:443
ESTABLISHED 883/tor
tcp 0 0 192.168.1.104:48492 37.143.86.26:443
ESTABLISHED 883/tor
tcp 0 0 :::80 :::*
LISTEN 911/uhttpd
tcp 0 0 :::53 :::*
LISTEN 1016/dnsmasq
tcp 0 0 :::22 :::*
LISTEN 700/dropbear
udp 0 0 0.0.0.0:53 0.0.0.0:*
1016/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:*
1016/dnsmasq
udp 0 0 192.168.2.1:9053 0.0.0.0:*
883/tor
udp 0 0 127.0.0.1:9053 0.0.0.0:*
883/tor
udp 0 0 :::546
:::* 764/odhcp6c
udp 0 0 :::547
:::* 674/odhcpd
udp 0 0 :::53
:::* 1016/dnsmasq
When i entered https://check.torproject.org/, it says i am using tor. But
when i entered i http://whatismyipaddress.com/ i still see my ADSL ip not
the one tor check says.
So something is not the way i wishe. I think dns queries are still not
going through tor.
# Generated by iptables-save v1.4.21 on Fri Jan 2 22:51:39 2015
*nat
:PREROUTING ACCEPT [79:16807]
:INPUT ACCEPT [121:11370]
:OUTPUT ACCEPT [87:7496]
:POSTROUTING ACCEPT [6:1420]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_transtor_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_transtor_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_transtor_postrouting - [0:0]
:zone_transtor_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j delegate_prerouting
-A PREROUTING -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT
-A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT
--to-ports 9040
-A POSTROUTING -j delegate_postrouting
-A delegate_postrouting -m comment --comment "user chain for postrouting"
-j postrouting_rule
-A delegate_postrouting -o br-lan -j zone_lan_postrouting
-A delegate_postrouting -o eth0.2 -j zone_wan_postrouting
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j
prerouting_rule
-A delegate_prerouting -i br-lan -j zone_lan_prerouting
-A delegate_prerouting -i eth0.2 -j zone_wan_prerouting
-A zone_lan_postrouting -m comment --comment "user chain for postrouting"
-j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j
prerouting_lan_rule
-A zone_transtor_postrouting -m comment --comment "user chain for
postrouting" -j postrouting_transtor_rule
-A zone_transtor_prerouting -m comment --comment "user chain for
prerouting" -j prerouting_transtor_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting"
-j postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j
prerouting_wan_rule
COMMIT
# Completed on Fri Jan 2 22:51:39 2015
# Generated by iptables-save v1.4.21 on Fri Jan 2 22:51:39 2015
*raw
:PREROUTING ACCEPT [8382:5506270]
:OUTPUT ACCEPT [6460:3708106]
:delegate_notrack - [0:0]
:zone_lan_notrack - [0:0]
-A PREROUTING -j delegate_notrack
-A delegate_notrack -i br-lan -j zone_lan_notrack
-A zone_lan_notrack -j CT --notrack
COMMIT
# Completed on Fri Jan 2 22:51:39 2015
# Generated by iptables-save v1.4.21 on Fri Jan 2 22:51:39 2015
*mangle
:PREROUTING ACCEPT [8382:5506270]
:INPUT ACCEPT [8270:5488440]
:FORWARD ACCEPT [46:5444]
:OUTPUT ACCEPT [6460:3708106]
:POSTROUTING ACCEPT [6508:3714206]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment
--comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Jan 2 22:51:39 2015
# Generated by iptables-save v1.4.21 on Fri Jan 2 22:51:39 2015
*filter
:INPUT ACCEPT [251:24620]
:FORWARD ACCEPT [2:120]
:OUTPUT ACCEPT [8:2086]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_transtor_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_transtor_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_transtor_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_transtor_dest_ACCEPT - [0:0]
:zone_transtor_forward - [0:0]
:zone_transtor_input - [0:0]
:zone_transtor_output - [0:0]
:zone_transtor_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -j delegate_input
-A FORWARD -j delegate_forward
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j
forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0.2 -j zone_wan_forward
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0.2 -j zone_wan_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j
output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0.2 -j zone_wan_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit
25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j
forwarding_lan_rule
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment
"Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j
input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept
port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j
output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_transtor_forward -m comment --comment "user chain for forwarding"
-j forwarding_transtor_rule
-A zone_transtor_forward -m conntrack --ctstate DNAT -m comment --comment
"Accept port forwards" -j ACCEPT
-A zone_transtor_forward -j zone_transtor_dest_ACCEPT
-A zone_transtor_input -m comment --comment "user chain for input" -j
input_transtor_rule
-A zone_transtor_input -p udp -m udp --dport 67 -m comment --comment
Allow-Tor-DHCP -j ACCEPT
-A zone_transtor_input -p tcp -m tcp --dport 9040 -m comment --comment
Allow-Tor-Transparent -j ACCEPT
-A zone_transtor_input -p udp -m udp --dport 9053 -m comment --comment
Allow-Tor-DNS -j ACCEPT
-A zone_transtor_input -m conntrack --ctstate DNAT -m comment --comment
"Accept port redirections" -j ACCEPT
-A zone_transtor_input -j zone_transtor_src_ACCEPT
-A zone_transtor_output -m comment --comment "user chain for output" -j
output_transtor_rule
-A zone_transtor_output -j zone_transtor_dest_ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j
forwarding_wan_rule
-A zone_wan_forward -m comment --comment "forwarding wan -> *" -j ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment
"Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "user chain for input" -j
input_wan_rule
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept
port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "user chain for output" -j
output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth0.2 -j ACCEPT
COMMIT
# Completed on Fri Jan 2 22:51:39 2015
Any idea what should i reject at the firewall rules?
On Tue, Dec 30, 2014 at 8:36 AM, Michal Zuber <michael at riseup.net> wrote:
> Did you try diasbling the firewall and trying without it?
>
>
> On 12/29/14 7:45 PM, Oğuz Yarımtepe wrote:
>
>> Hi,
>>
>> On Mon, Dec 29, 2014 at 9:00 AM, Michal Zuber <michael at riseup.net> wrote:
>>
>> Hi,
>>> 1. what about the logs?
>>>
>>>
>> 2. I have the following in my iptables.rules to be notified what was
>>> blocked
>>> -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
>>> --log-level 7
>>>
>>>
>>> I added this to firewall.user and saw that UDP messages are somehow
>> blocked.
>>
>> [ 2539.100000] iptables denied: IN=wlan0 OUT=
>> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
>> DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=38735 DF PROTO=UDP
>> SPT=48397 DPT=9053 LEN=46
>> [ 2550.550000] iptables denied: IN=wlan0 OUT=
>> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
>> DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=40926 DF PROTO=UDP
>> SPT=47905 DPT=9053 LEN=50
>> [ 2563.880000] iptables denied: IN=wlan0 OUT=
>> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
>> DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=43508 DF PROTO=UDP
>> SPT=37506 DPT=9053 LEN=44
>> [ 2574.950000] iptables denied: IN=wlan0 OUT=
>> MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
>> DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=54347 DF PROTO=UDP
>> SPT=28425 DPT=9053 LEN=50
>> [ 2586.200000] iptables denied: IN=wlan0 OUT=
>> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
>> DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=46793 DF PROTO=UDP
>> SPT=37394 DPT=9053 LEN=46
>> [ 2598.680000] iptables denied: IN=wlan0 OUT=
>> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
>> DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=48473 DF PROTO=UDP
>> SPT=57058 DPT=9053 LEN=44
>> [ 2611.290000] iptables denied: IN=wlan0 OUT=
>> MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
>> DST=192.168.2.1 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=58998 DF PROTO=UDP
>> SPT=58128 DPT=9053 LEN=48
>>
>>
>>
>>
>>
>>
>> 3. `netstat -nat |grep :53` or `lsof -i :53` shows listening on port 53
>>> ? (
>>> https://www.debian-administration.org/article/184/How_to_find_out_which_
>>> process_is_listening_upon_a_port)
>>> 4. Did you try host (dig, nslookup) on the router?
>>> 5. Doest `dig @ROUTER_IP google.com` work?
>>> 6. You could also try watch into the DNS traffic with ` tcpdump -vvv -s 0
>>> -l -n port 53` (http://jontai.me/blog/2011/11/monitoring-dns-queries-
>>> with-tcpdump/)
>>>
>>
>>
>> route -n was strange
>>
>> # route -n
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric Ref Use
>> Iface
>> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
>> br-lan
>> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
>> wlan0
>>
>> netstat -pantu says the ports are right
>>
>> netstat -pantu
>> Active Internet connections (servers and established)
>> Proto Recv-Q Send-Q Local Address Foreign Address
>> State PID/Program name
>> tcp 0 0 192.168.2.1:9040 0.0.0.0:*
>> LISTEN 734/tor
>> tcp 0 0 0.0.0.0:80 0.0.0.0:*
>> LISTEN 756/uhttpd
>> tcp 0 0 0.0.0.0:53 0.0.0.0:*
>> LISTEN 1059/dnsmasq
>> tcp 0 0 0.0.0.0:22 0.0.0.0:*
>> LISTEN 699/dropbear
>> tcp 0 0 0.0.0.0:443 0.0.0.0:*
>> LISTEN 734/tor
>> tcp 0 248 192.168.2.1:22 192.168.2.171:44694
>> ESTABLISHED 1062/dropbear
>> tcp 0 0 :::80 :::*
>> LISTEN 756/uhttpd
>> tcp 0 0 :::53 :::*
>> LISTEN 1059/dnsmasq
>> tcp 0 0 :::22 :::*
>> LISTEN 699/dropbear
>> udp 0 0 0.0.0.0:53 0.0.0.0:*
>> 1059/dnsmasq
>> udp 0 0 0.0.0.0:67 0.0.0.0:*
>> 1059/dnsmasq
>> udp 0 0 192.168.2.1:9053 0.0.0.0:*
>> 734/tor
>> udp 0 0 :::546
>> :::* 812/odhcp6c
>> udp 0 0 :::547
>> :::* 669/odhcpd
>> udp 0 0 :::53
>> :::* 1059/dnsmasq
>> ~
>>
>> here is iptables -L
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> delegate_input all -- anywhere anywhere
>> LOG all -- anywhere anywhere limit: avg
>> 5/min burst 5 LOG level debug prefix "iptables denied: "
>>
>> Chain FORWARD (policy DROP)
>> target prot opt source destination
>> delegate_forward all -- anywhere anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>> delegate_output all -- anywhere anywhere
>>
>> Chain delegate_forward (1 references)
>> target prot opt source destination
>> forwarding_rule all -- anywhere anywhere /*
>> user
>> chain for forwarding */
>> ACCEPT all -- anywhere anywhere ctstate
>> RELATED,ESTABLISHED
>> zone_lan_forward all -- anywhere anywhere
>> zone_wan_forward all -- anywhere anywhere
>> reject all -- anywhere anywhere
>>
>> Chain delegate_input (1 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>> input_rule all -- anywhere anywhere /* user
>> chain for input */
>> ACCEPT all -- anywhere anywhere ctstate
>> RELATED,ESTABLISHED
>> syn_flood tcp -- anywhere anywhere tcp
>> flags:FIN,SYN,RST,ACK/SYN
>> zone_lan_input all -- anywhere anywhere
>> zone_wan_input all -- anywhere anywhere
>>
>> Chain delegate_output (1 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>> output_rule all -- anywhere anywhere /* user
>> chain for output */
>> ACCEPT all -- anywhere anywhere ctstate
>> RELATED,ESTABLISHED
>> zone_lan_output all -- anywhere anywhere
>> zone_wan_output all -- anywhere anywhere
>>
>> Chain forwarding_lan_rule (1 references)
>> target prot opt source destination
>>
>> Chain forwarding_rule (1 references)
>> target prot opt source destination
>>
>> Chain forwarding_transtor_rule (1 references)
>> target prot opt source destination
>>
>> Chain forwarding_wan_rule (1 references)
>> target prot opt source destination
>>
>> Chain input_lan_rule (1 references)
>> target prot opt source destination
>>
>> Chain input_rule (1 references)
>> target prot opt source destination
>>
>> Chain input_transtor_rule (1 references)
>> target prot opt source destination
>>
>> Chain input_wan_rule (1 references)
>> target prot opt source destination
>>
>> Chain output_lan_rule (1 references)
>> target prot opt source destination
>>
>> Chain output_rule (1 references)
>> target prot opt source destination
>>
>> Chain output_transtor_rule (1 references)
>> target prot opt source destination
>>
>> Chain output_wan_rule (1 references)
>> target prot opt source destination
>>
>> Chain reject (3 references)
>> target prot opt source destination
>> REJECT tcp -- anywhere anywhere reject-with
>> tcp-reset
>> REJECT all -- anywhere anywhere reject-with
>> icmp-port-unreachable
>>
>> Chain syn_flood (1 references)
>> target prot opt source destination
>> RETURN tcp -- anywhere anywhere tcp
>> flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
>> DROP all -- anywhere anywhere
>>
>> Chain zone_lan_dest_ACCEPT (2 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>>
>> Chain zone_lan_forward (1 references)
>> target prot opt source destination
>> forwarding_lan_rule all -- anywhere anywhere /*
>> user chain for forwarding */
>> ACCEPT all -- anywhere anywhere ctstate DNAT
>> /* Accept port forwards */
>> zone_lan_dest_ACCEPT all -- anywhere anywhere
>>
>> Chain zone_lan_input (1 references)
>> target prot opt source destination
>> input_lan_rule all -- anywhere anywhere /* user
>> chain for input */
>> ACCEPT all -- anywhere anywhere ctstate DNAT
>> /* Accept port redirections */
>> zone_lan_src_ACCEPT all -- anywhere anywhere
>>
>> Chain zone_lan_output (1 references)
>> target prot opt source destination
>> output_lan_rule all -- anywhere anywhere /*
>> user
>> chain for output */
>> zone_lan_dest_ACCEPT all -- anywhere anywhere
>>
>> Chain zone_lan_src_ACCEPT (1 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>>
>> Chain zone_transtor_dest_ACCEPT (1 references)
>> target prot opt source destination
>>
>> Chain zone_transtor_dest_REJECT (1 references)
>> target prot opt source destination
>>
>> Chain zone_transtor_forward (0 references)
>> target prot opt source destination
>> forwarding_transtor_rule all -- anywhere
>> anywhere /* user chain for forwarding */
>> ACCEPT all -- anywhere anywhere ctstate DNAT
>> /* Accept port forwards */
>> zone_transtor_dest_REJECT all -- anywhere
>> anywhere
>>
>> Chain zone_transtor_input (0 references)
>> target prot opt source destination
>> input_transtor_rule all -- anywhere anywhere /*
>> user chain for input */
>> ACCEPT udp -- anywhere anywhere udp
>> dpt:bootps /* Allow-Tor-DHCP */
>> ACCEPT tcp -- anywhere anywhere tcp dpt:9040
>> /* Allow-Tor-Transparent */
>> ACCEPT udp -- anywhere anywhere udp dpt:9053
>> /* Allow-Tor-DNS */
>> ACCEPT all -- anywhere anywhere ctstate DNAT
>> /* Accept port redirections */
>> zone_transtor_src_REJECT all -- anywhere anywhere
>>
>> Chain zone_transtor_output (0 references)
>> target prot opt source destination
>> output_transtor_rule all -- anywhere anywhere
>> /*
>> user chain for output */
>> zone_transtor_dest_ACCEPT all -- anywhere
>> anywhere
>>
>> Chain zone_transtor_src_REJECT (1 references)
>> target prot opt source destination
>>
>> Chain zone_wan_dest_ACCEPT (1 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>>
>> Chain zone_wan_dest_REJECT (1 references)
>> target prot opt source destination
>> reject all -- anywhere anywhere
>>
>> Chain zone_wan_forward (1 references)
>> target prot opt source destination
>> forwarding_wan_rule all -- anywhere anywhere /*
>> user chain for forwarding */
>> ACCEPT all -- anywhere anywhere ctstate DNAT
>> /* Accept port forwards */
>> zone_wan_dest_REJECT all -- anywhere anywhere
>>
>> Chain zone_wan_input (1 references)
>> target prot opt source destination
>> input_wan_rule all -- anywhere anywhere /* user
>> chain for input */
>> ACCEPT udp -- anywhere anywhere udp
>> dpt:bootpc /* Allow-DHCP-Renew */
>> ACCEPT icmp -- anywhere anywhere icmp
>> echo-request /* Allow-Ping */
>> ACCEPT tcp -- anywhere anywhere tcp
>> dpt:https
>> /* @rule[5] */
>> ACCEPT all -- anywhere anywhere ctstate DNAT
>> /* Accept port redirections */
>> zone_wan_src_REJECT all -- anywhere anywhere
>>
>> Chain zone_wan_output (1 references)
>> target prot opt source destination
>> output_wan_rule all -- anywhere anywhere /*
>> user
>> chain for output */
>> zone_wan_dest_ACCEPT all -- anywhere anywhere
>>
>> Chain zone_wan_src_REJECT (1 references)
>> target prot opt source destination
>> reject all -- anywhere anywhere
>>
>>
>> I started to lost my Internet connection for other adsl users. When they
>> connected to normal adsl ssid while the tor router is plugged, they
>> started
>> to lost connection.
>>
>> Seems there is a firewall or network problem.
>>
>> Anyone can figure it out?
>>
>
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
--
Oğuz Yarımtepe
http://about.me/oguzy
More information about the tor-talk
mailing list