[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] max TCP interruption before Tor circuit teardown?



On 2013-10-27 12:29:33 (-0700), Gordon Morehouse wrote:
>                                                                                                                                                                                                      
> I've implemented these and I'd really love for anyone who's great at                                                                                                                                 
> iptables to sanity-check my rules[1] because I am an iptables relative                                                                                                                               
> noob.                                                                                                                                                                                                
                                                                                                                                                  
>  5: # TODO: don't know if fail2ban will override this if a host with established                                                                                                                     
>  6: # connections gets temp banned. We don't want it to. Need to find out.                                                                                                                           
                                                                                                                                                                                                       
It depends on the spot fail2ban inserts the new firewall rules. If it's before                                                                                                                         
the '--state ESTABLISHED' rule, then the ban will be enforced. Otherwise, the                                                                                                                          
kernel will let the packets through when they reach that rule.                                                                                    
                                                                                                                                                                                                       
                                                                                                                                                                                                       
> 12: iptables -A INPUT -p tcp -m multiport --dports 31923,31924 -m state --state NEW -j SYN_THROTTLE                                                                                                  
> [...]                                                                                                                                                                                                
> 17: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j LOG                                                                                                                                       
> 18: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j REJECT                                                                                                                                    
                                                                                    
You don't need '-m state --state NEW' in lines 17 and 18 because all packets in
that chain are already known to be new.

I recommend to use always --log-prefix for easy future grepping.


-- 
 David Serrano
 GnuPG id: 280A01F9

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays