[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] How to prevent netscan usage?



Am 28.11.2015 um 10:20 schrieb grarpamp:
>> First rule is to use some firewall
> 
> No it is not, do not do this.
> An exit needs to pass the traffic that its exitpolicy says it will pass.
> Otherwise bad things happen with circuit construction and your exit
> gets badmouthed by users possibly to the point of being banned. If
> you can't provide an exitpolicy that works as written, then don't provide it.

Unfortunately, I had to do so. The below firewall rule was active for
approx one month. During this time, exit-traffic did not decrease nor
did I recognise any other negative effect. During this time, I got no
new issues with my ISP. Last week, after some patches I rebooted the
server and forgot to apply the rules again. Within 3 days, my ISP
blocked the server once more because of netscan abuse....

So to say... these rules work. But most probably somebody with more
iptables experience might adjust them to be even more effective AND less
"problematic".


iptables -N ONEW
iptables -A ONEW -o lo -j ACCEPT
iptables -A ONEW -p udp --dport 53 -m limit --limit 2/sec --limit-burst
5 -j ACCEPT
iptables -A ONEW -p udp --dport 80 -m limit --limit 2/sec --limit-burst
5 -j ACCEPT
iptables -A ONEW -m hashlimit --hashlimit-upto 1/second --hashlimit-mode
dstip --hashlimit-dstmask 24 --hashlimit-name ONEW -j ACCEPT
iptables -A ONEW -m limit --limit 1/sec -j LOG --log-prefix "REJECTED: "
iptables -A ONEW -j REJECT --reject-with icmp-admin-prohibited


Thx
Vali

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays