On Tuesday, January 25, 2022 10:54:00 PM CET ax8eaz7z3g via tor-relays wrote: > Hi! > > I noticed that after I have set up my ip(+6)tables up to filter unwanted > incoming traffic all "inbound" and "directory" connections in nyx > disappeared, only lot of "outbound" connections are there. > > I am running exit relay (IPv4+IPv6) on ORPort 443 and DIRPort 80. > > Is there someone willing to check my iptable rules? I am starting to lose > it... > > My iptables: > > -P INPUT DROP > > > > > > -P FORWARD DROP > > > > > > -P OUTPUT DROP ?? why block outgoing traffic? > > > > -A INPUT -i lo -j ACCEPT > > > > > > -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 > > -j ACCEPT # SSH running there > > > > > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to > > ORPort > > > > > > > > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to > > DIRPort > > > > > > > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all > > already established incoming connections > > > > > > -A OUTPUT -o lo -j ACCEPT # allow all outgoing connections ?? > > > > -A OUTPUT -o eth0 -j ACCEPT ?? > > My ip6tables: > > > > > > -P INPUT DROP > > > > > > -P FORWARD DROP > > > > > > -P OUTPUT DROP ?? Again, why block outgoing traffic? Don't you trust yourself or your own server ;-) > > > > -N ICMPv6_IN > > > > > > -N ICMPv6_OUT ?? > > > > -A INPUT -i lo -j ACCEPT > > > > > > -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 > > -j ACCEPT # SSH running there > > > > > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to > > ORPort > > > > > > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to > > DIRPort > > > > > > -A INPUT -p ipv6-icmp -j ICMPv6_IN #pass all icmpv6 related traffic to new > > chain > > > > > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all > > already established incoming connections > > > > > > -A OUTPUT -o lo -j ACCEPT ?? > > > > -A OUTPUT -p ipv6-icmp -j ICMPv6_OUT #pass all icmpv6 related traffic to > > new chain ?? > > > > -A OUTPUT -o eth0 -j ACCEPT # allow all outgoing connections ?? > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT > > > > > > -A ICMPv6_IN -j DROP > > > > > > -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT ?? > > > > -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT ?? > > > > -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT ?? > > > > -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT ?? > > > > -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT ?? > > > > -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT ?? > > > > -A ICMPv6_OUT -j DROP ?? I just skimmed the rest of the rules. Very confusing in emails. Please use pastbin. All outbound rules are unnecessary and undesirable on Tor relays! My working example rules: https://github.com/boldsuck/tor-relay-bootstrap/tree/master/etc/iptables -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays