[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] blocking >1 connections per ip address onto Tor DirPort

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
From: Toralf Förster <toralf.foerster@xxxxxx>
Date: Tue, 15 Aug 2017 20:08:54 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 15 Aug 2017 14:09:10 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I do have the following iptables rule here :

  # Tor
  #
  dirport=80
  orport=443

  $IPT -A INPUT -p tcp --destination-port $dirport --match conntrack --ctstate NEW --match connlimit --connlimit-above 1 --connlimit-mask 32 -j DROP
  $IPT -A INPUT -p tcp --destination-port $orport  --match conntrack --ctstate NEW --match connlimit --connlimit-above 1 --connlimit-mask 32 -j DROP


which seems to work fine. An

	$> ip6tables -nvL  

gives

14110  746K DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW #conn src/32 > 1
 230K   14M DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW #conn src/32 > 1

after few days so I do just like to ask here if the rules above are fine or if I overllooked something ?

- -- 
Toralf
PGP C4EACDDE 0076E94E
-----BEGIN PGP SIGNATURE-----

iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWZM4sxccdG9yYWxmLmZv
ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTqnGAQCPr7gkpaxRD3spzKp49l53A2H0
YOzXrw8G8vR8BtHZPQD+NE4Zhf7Y0w0JtKqy6E5bSowikeSJsKSDur8zxO+kf8E=
=UPak
-----END PGP SIGNATURE-----
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
  - From: Nagaev Boris

Prev by Author: [tor-relays] Relay Operators Meetup at BornHack
Next by Author: Re: [tor-relays] Relay uptime versus outdated Tor version
Previous by thread: Re: [tor-relays] What causes circuits to collapse?
Next by thread: Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
Index(es):
- Author
- Thread