<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font size="-1"><font face="Arial">With Ubuntu, installing ipset
automatically installs iptables along with it. As others
mentioned, modern Debian doesn't do that. I've modified the
script to do that as well in the new version (v7.0.5).<br>
</font></font></p>
<p><font size="-1"><font face="Arial">As it is, you neither have
iptables nor nftables and since you don't want to install them
at all, then there's no point in running the script. As it's
clearly stated in the README file of the repository, my script
uses iptables-nft to accomplish the task of mitigating the
attacks and it's not something you can accomplish using
firewalld or UFW, at least not to that extent. The goal of
those firewalls is to simplify the rules for people who don't
want to deal with complexities of iptables/nftables and in
doing so, they do not offer the more complex features that
iptables-nft provides.<br>
</font></font></p>
<p><font size="-1"><font face="Arial">Regards,</font></font></p>
<p><font size="-1"><font face="Arial">Enkidu<br>
</font></font></p>
<p><font size="-1"><font face="Arial"></font></font><br>
</p>
<div class="moz-cite-prefix">On 10/23/2024 4:40 AM, Top wrote:<br>
</div>
<blockquote type="cite"
cite="mid:c1322213-d2e3-43ac-8360-2ee57a53aa9a@systemli.org">Hi,
<br>
<br>
thanks for the replies! I'm gonna answer a few questions.
<br>
Regarding Enkidu:
<br>
- I use Debian
<br>
- `iptables -V` says `-bash: iptables: command not found`
<br>
- `ipset -v` says `ipset v7.17, protocol version: 7`
<br>
- I'm running Debian but the installation of `ipset` did not
install `iptables`
<br>
- I am running the script with root
<br>
- Besides, I don't *want* to use `iptables` and `nftables` - so I
don't even want `iptables` to be installed
<br>
<br>
Regarding boldsuck:
<br>
Thanks for the information!
<br>
I might try to adapt your example to my situation.
<br>
I do not have an exit but two guards.
<br>
<br>
Regarding Ralph:
<br>
- The logs basically keep repeating that `iptables` could not be
found. For example:
<br>
```
<br>
./rules.sh: line 3: iptables-save: command not found
<br>
./rules.sh: line 4: ip6tables-save: command not found
<br>
./rules.sh: line 6: iptables: command not found
<br>
./rules.sh: line 7: ip6tables: command not found
<br>
```
<br>
- I don't think my PATH is my problem, since I really don't have
(nor want) `iptables` installed
<br>
- I can't lock myself out since I can always access the server
directly without `ssh`. Thanks for the warning though
<br>
<br>
Regarding tor-relays+tor-relays:
<br>
- Interesting that anti-DDoS is now integrated!
<br>
- The `iptables-nft` package does not exist on my machine since I
run Debian
<br>
<br>
Kind regards
<br>
Top
<br>
<br>
On 23/10/2024 04:49, <a class="moz-txt-link-abbreviated" href="mailto:tor-relays+tor-relays@queer.cat">tor-relays+tor-relays@queer.cat</a> wrote:
<br>
<blockquote type="cite">
<br>
<br>
On 22/10/24 14:24, Top wrote:
<br>
<blockquote type="cite">Hi all,
<br>
<br>
<br>
My tor relays[1] traffic decreased a lot and I think this
*might* be connected to some kind of DDOS attack.
<br>
So I wanted to use this situation to set up some DDOS
protection.
<br>
For that I stumbled upon Enkidus tor DDOS mitigation script.
[2]
<br>
</blockquote>
<br>
I believe that the mitigations found in the community-maintained
anti-DDoS scripts, such as limiting the number of open
connections from a single IP, are now integrated into tor
itself.
<br>
<br>
<blockquote type="cite">However, this script is made for
`iptables`, not `nftables`.
<br>
I use `firewalld` with `nftables` on my system, since this
seems to be the new default. [3]
<br>
I don't really know that much about firewalls, so this
situation overwhelms me a bit.
<br>
In the README of Enkidus rules it says:
<br>
<br>
 > Practically all linux systems come with iptables or more
recently with nftables which basically does the same and
more. So you won't need to install iptables. Just type
iptables -V . If you see a version, you have it. The same with
ipset . An ipset -v will do the job. In some rare cases you
may not have ipset installed and installing it is as simple as
apt-get ipset or yum install ipset or...
<br>
</blockquote>
<br>
You may want to consider installing the iptables-nft package,
which offers a compatibility layer for iptables on
Fedora/CentOS.
<br>
<br>
<blockquote type="cite">
<br>
This seems to imply that the script should work fine with
`nftables` as well.
<br>
This is also what Enkidu seems to state in a relevant gitlab
issue: [4]
<br>
<br>
 > nftables interprets all the iptables rules just fine so
the provided scripts will work regardless of which one you
have.
<br>
<br>
But it's not true!
<br>
The script failed on my server, complaining that the
`iptables` command couldn't be found (and no rules had been
applied).
<br>
<br>
So how can I apply proper DDOS protection firewall rules
whilst using `nftables`?
<br>
Is there some easy way to modify the script to make it work?
<br>
<br>
<br>
Kind regards
<br>
Top
<br>
<br>
<br>
[1]: <a class="moz-txt-link-freetext" href="https://metrics.torproject.org/rs.html#search/toptor">https://metrics.torproject.org/rs.html#search/toptor</a>
<br>
[2]: <a class="moz-txt-link-freetext" href="https://github.com/Enkidu-6/tor-ddos">https://github.com/Enkidu-6/tor-ddos</a>
<br>
[3]: <a class="moz-txt-link-freetext" href="https://wiki.debian.org/nftables">https://wiki.debian.org/nftables</a>
<br>
[4]:
<a class="moz-txt-link-freetext" href="https://gitlab.torproject.org/tpo/community/support/-/issues/40093">https://gitlab.torproject.org/tpo/community/support/-/issues/40093</a>
<br>
_______________________________________________
<br>
tor-relays mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a>
<br>
</blockquote>
<br>
_______________________________________________
<br>
tor-relays mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a>
<br>
</blockquote>
_______________________________________________
<br>
tor-relays mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a>
<br>
</blockquote>
</body>
</html>