[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] DDOS mitigation with nftables
Hi,
thanks for the replies! I'm gonna answer a few questions.
Regarding Enkidu:
- I use Debian
- `iptables -V` says `-bash: iptables: command not found`
- `ipset -v` says `ipset v7.17, protocol version: 7`
- I'm running Debian but the installation of `ipset` did not install
`iptables`
- I am running the script with root
- Besides, I don't *want* to use `iptables` and `nftables` - so I don't
even want `iptables` to be installed
Regarding boldsuck:
Thanks for the information!
I might try to adapt your example to my situation.
I do not have an exit but two guards.
Regarding Ralph:
- The logs basically keep repeating that `iptables` could not be found.
For example:
```
./rules.sh: line 3: iptables-save: command not found
./rules.sh: line 4: ip6tables-save: command not found
./rules.sh: line 6: iptables: command not found
./rules.sh: line 7: ip6tables: command not found
```
- I don't think my PATH is my problem, since I really don't have (nor
want) `iptables` installed
- I can't lock myself out since I can always access the server directly
without `ssh`. Thanks for the warning though
Regarding tor-relays+tor-relays:
- Interesting that anti-DDoS is now integrated!
- The `iptables-nft` package does not exist on my machine since I run Debian
Kind regards
Top
On 23/10/2024 04:49, tor-relays+tor-relays@xxxxxxxxx wrote:
On 22/10/24 14:24, Top wrote:
Hi all,
My tor relays[1] traffic decreased a lot and I think this *might* be
connected to some kind of DDOS attack.
So I wanted to use this situation to set up some DDOS protection.
For that I stumbled upon Enkidus tor DDOS mitigation script. [2]
I believe that the mitigations found in the community-maintained
anti-DDoS scripts, such as limiting the number of open connections from
a single IP, are now integrated into tor itself.
However, this script is made for `iptables`, not `nftables`.
I use `firewalld` with `nftables` on my system, since this seems to be
the new default. [3]
I don't really know that much about firewalls, so this situation
overwhelms me a bit.
In the README of Enkidus rules it says:
> Practically all linux systems come with iptables or more recently
with nftables which basically does the same and more. So you won't
need to install iptables. Just type iptables -V . If you see a
version, you have it. The same with ipset . An ipset -v will do the
job. In some rare cases you may not have ipset installed and
installing it is as simple as apt-get ipset or yum install ipset or...
You may want to consider installing the iptables-nft package, which
offers a compatibility layer for iptables on Fedora/CentOS.
This seems to imply that the script should work fine with `nftables`
as well.
This is also what Enkidu seems to state in a relevant gitlab issue: [4]
> nftables interprets all the iptables rules just fine so the
provided scripts will work regardless of which one you have.
But it's not true!
The script failed on my server, complaining that the `iptables`
command couldn't be found (and no rules had been applied).
So how can I apply proper DDOS protection firewall rules whilst using
`nftables`?
Is there some easy way to modify the script to make it work?
Kind regards
Top
[1]: https://metrics.torproject.org/rs.html#search/toptor
[2]: https://github.com/Enkidu-6/tor-ddos
[3]: https://wiki.debian.org/nftables
[4]: https://gitlab.torproject.org/tpo/community/support/-/issues/40093
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays