[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: TOR on Academic networks (problem)

iptables -t nat -A POSTROUTING -p tcp -d <ip of journal> --dport 80 -j DNAT
--to-destination <ip of you webserver>

FreeBSD here, but I'll try something along those lines.

Still, I would also agree that rejecting *:80 would be the best until
this IP as authentication issue is resolved.

Since the /etc/hosts approach posions the DNS for clients, it now seems the better (although not ideal) approach is to allow legitimate DNS lookups, and then just blackhole the traffic. After 15 seconds, the client will give up and pick another node.

In reality, what I should do is just get a new /24 and put all the potentially bad stuff in there. Only problem is it'd be a subassignment since ARIN dosen't do a /24, and that gives people a "higher" place to complain. At least now, there's nobody besides us that folks can fuss at (unless they want to try and whine to our routing peers and get laughed at).

In ~6 months of running an exit, this is the first time this has ever been an issue .. so it hardly seems worth the effort .. but the potential for getting into hot water involving the contracts with publishers means I've got to do something.