[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] DDOS mitigation with nftables

To: <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-relays] DDOS mitigation with nftables
From: Ralph Seichter via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 22 Oct 2024 22:59:20 +0200
Cc: Ralph Seichter <ralph@xxxxxxxxxxxxxx>
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 22 Oct 2024 17:19:46 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1729631980; bh=5vtHpxsGM3HIr7qoyvzO25bMUyC1/eQ2DqVEK5UAoCY=; h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=gkvSR6PEYO7K0nWEnoeXyCzpSRclN3pdpKiVLb897sxSvzuQO0LdRu5yKU8Upcvwv rNK3jop9eoiEsKRbjJSxib1gJLwHywfsL8fkv7fLTZjK/VsJ23WQjksbYB3X0R3AHn Qf247jvSEGQrJOitoBhDmhyGGBXVmjdtLdsszHA6NXg2+yLqBD3mQVUaRR0VvVag8l 0Oxkeds3NPPEp4CRIS4jkMhJdWgwei01T7aSafxVJSfGJYj6Do9cNdWOiN2dQT/hK+ TWfd0Nk+gS8O4cHbjGxRY6X3g4rRT1ij+Otvhdc7TCzPgGoFNDm8wPdFNW6vfIUH5F p763nThqzutKw==
In-reply-to: <c20bc4fe-6eec-48a9-95c5-f69fa7e6c0fe@systemli.org>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <c20bc4fe-6eec-48a9-95c5-f69fa7e6c0fe@systemli.org>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

* Top:

> The script failed on my server, complaining that the `iptables` command
> couldn't be found (and no rules had been applied).

You provided too little information to offer detailed advice. Best not
to interpret error messages if you can post actual logs instead.
Generally speaking, your problems might be related to your PATH variable
content during script execution. You also may find [1] generally useful.

[1] https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

> So how can I apply proper DDOS protection firewall rules whilst using
> `nftables`? Is there some easy way to modify the script to make it
> work?

The question of difficulty depends on your personal knowledge and
skills. Based on your own assessment, meddling with Kernel routing
tables might be beyond your current level of experience. You can
sabotage your server's operation and lock yourself out, so I urge you to
get comfortable with the whole subject in a test environment with backup
console access, before taking on a remote production server.

-Ralph
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] DDOS mitigation with nftables
  - From: Top

Prev by Author: Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?
Next by Author: Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?
Previous by thread: Re: [tor-relays] DDOS mitigation with nftables
Next by thread: Re: [tor-relays] DDOS mitigation with nftables
Index(es):
- Author
- Thread