[tor-relays] wrong iptables rules? / no inbound traffic in nyx

To: "tor-relays@xxxxxxxxxxxxxxxxxxxx" <tor-relays@xxxxxxxxxxxxxxxxxxxx>

Subject: [tor-relays] wrong iptables rules? / no inbound traffic in nyx

From: ax8eaz7z3g via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>

Date: Tue, 25 Jan 2022 21:54:00 +0000

Cc: ax8eaz7z3g <ax8eaz7z3g@xxxxxxxxxxxxxx>

Delivery-date: Wed, 26 Jan 2022 05:22:59 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail2; t=1643147640; bh=ZUqsRzcZQsnsvnBNTGrYU/21pGof2BkMhPuHsi+h6YI=; h=Date:To:From:Reply-To:Subject:Message-ID:From:To:Cc; b=Xj4rJJyoxXPBN+9tBsGflnsAJtxzjwKEjeIEdCTy3BDtZqPIRxTNTQWEgWwdkYLnZ uRuxcNnh2rE3Z86Ysc39po5kr6KZskA546LTmqBeW9GvU0A5ReQGBXGUt+ah8ReYKj hjPR41vHFvZPasdis0FYavJpseTvwPqez4W7id+Oh52pMaAl22qnrSdSNjOWEXFqlb BMyHxg11Hgc+d28MqoBsHJoKgI36eo6VocOv132FVnpRjeESWP/md1dVTegImK3Ya1 7Q/aPGDETYJroHOYKJ1AI2jpCEMSSoUqg9MBunMZTT4IQQip3/Sp0hKjHdfDgEYZN1 tVHepxlj0E2Sw==

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi!

I noticed that after I have set up my ip(+6)tables up to filter unwanted incoming traffic all "inbound" and "directory" connections in nyx disappeared, only lot of "outbound" connections are there.

I am running exit relay (IPv4+IPv6) on ORPort 443 and DIRPort 80.

Is there someone willing to check my iptable rules? I am starting to lose it...

My iptables:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT # SSH running there
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to ORPort 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to DIRPort 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all already established incoming connections
-A OUTPUT -o lo -j ACCEPT # allow all outgoing connections
-A OUTPUT -o eth0 -j ACCEPT

My ip6tables:

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT DROP

-N ICMPv6_IN

-N ICMPv6_OUT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT # SSH running there

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to ORPort

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to DIRPort

-A INPUT -p ipv6-icmp -j ICMPv6_IN #pass all icmpv6 related traffic to new chain

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all already established incoming connections

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -p ipv6-icmp -j ICMPv6_OUT #pass all icmpv6 related traffic to new chain

-A OUTPUT -o eth0 -j ACCEPT # allow all outgoing connections

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT

-A ICMPv6_IN -j DROP

-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT

-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT

-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT

-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT

-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT

-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT

-A ICMPv6_OUT -j DROP

Thank you all for any replies!

Have a nice day.

Bye

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays