[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How to Run High Capacity Tor Relays



On Thu, Aug 26, 2010 at 2:31 PM, Mike Perry <mikeperry@xxxxxxxxxx> wrote:
> [ re: NOTRACK ]
>> Will this remove the ability to do PREROUTING DNAT rules? I know a lot
>> of Tor nodes forward ports and even IPs around.
>>
>> Good suggestion though. Perhaps we should mention both options in the
>> final draft.
>
> Actually, I learned the hard way that if you ACCEPT
> RELATED,ESTABLISHED in your iptables rules, you also need conntrack,
> otherwise your box will accept no data. It should have been obvious in
> retrospect, I guess.

yes, the cost of NOTRACK is high; it bypasses almost all of the
iptables / xtables hooks entirely.

this means you offload to application layer controls, like binding to
a specific IP:port and enforcing accept() rules on rate / origin
network or host as desired.

this also means each and every application you have exposed is
configurable in this manner, and you must do so explicitly for things
bound only to localhost(127.0.0.1) which present a risk when bound to
default all interfaces (0.0.0.0).


> Do you have suggestions on how to rewrite firewall rules without using
> RELATED,ESTABLISHED? ... Also, my secondary goal is
> to slow down port scanning of the machine.

i prefer to do this via IPsec or openvpn udp, since AH/ESP match or
fixed udp port match can divert without connection tracking. then you
control access by network rather than state.

there are other considerations; this would be a fun line of inquiry
for someone with the server horsepower and network capacity..  :)