wrong iptables rules? / no inbound traffic in nyx
Hi! I noticed that after I have set up my ip(+6)tables up to filter unwanted incoming traffic all "inbound" and "directory" connections in nyx disappeared, only lot of "outbound" connections are there. I am running exit relay (IPv4+IPv6) on ORPort 443 and DIRPort 80. Is there someone willing to check my iptable rules? I am starting to lose it...
My iptables: -P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT # SSH running there
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to ORPort
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to DIRPort
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all already established incoming connections
-A OUTPUT -o lo -j ACCEPT # allow all outgoing connections
-A OUTPUT -o eth0 -j ACCEPT
My ip6tables:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N ICMPv6_IN
-N ICMPv6_OUT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT # SSH running there
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to ORPort
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to DIRPort
-A INPUT -p ipv6-icmp -j ICMPv6_IN #pass all icmpv6 related traffic to new chain
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all already established incoming connections
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ICMPv6_OUT #pass all icmpv6 related traffic to new chain
-A OUTPUT -o eth0 -j ACCEPT # allow all outgoing connections
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A ICMPv6_IN -j DROP
-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A ICMPv6_OUT -j DROP
Thank you all for any replies! Have a nice day. Bye
On Tuesday, January 25, 2022 10:54:00 PM CET ax8eaz7z3g via tor-relays wrote:
Hi!
I noticed that after I have set up my ip(+6)tables up to filter unwanted incoming traffic all "inbound" and "directory" connections in nyx disappeared, only lot of "outbound" connections are there.
I am running exit relay (IPv4+IPv6) on ORPort 443 and DIRPort 80.
Is there someone willing to check my iptable rules? I am starting to lose it...
My iptables: -P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP ?? why block outgoing traffic?
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT # SSH running there
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to ORPort
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to DIRPort
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all already established incoming connections
-A OUTPUT -o lo -j ACCEPT # allow all outgoing connections
??
-A OUTPUT -o eth0 -j ACCEPT
??
My ip6tables:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP ?? Again, why block outgoing traffic? Don't you trust yourself or your own server ;-)
-N ICMPv6_IN
-N ICMPv6_OUT
??
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT # SSH running there
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to ORPort
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to DIRPort
-A INPUT -p ipv6-icmp -j ICMPv6_IN #pass all icmpv6 related traffic to new chain
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all already established incoming connections
-A OUTPUT -o lo -j ACCEPT
??
-A OUTPUT -p ipv6-icmp -j ICMPv6_OUT #pass all icmpv6 related traffic to new chain
??
-A OUTPUT -o eth0 -j ACCEPT # allow all outgoing connections
??
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A ICMPv6_IN -j DROP
-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
??
-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
??
-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
??
-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
??
-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
??
-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
??
-A ICMPv6_OUT -j DROP
??
I just skimmed the rest of the rules. Very confusing in emails. Please use pastbin. All outbound rules are unnecessary and undesirable on Tor relays! My working example rules: https://github.com/boldsuck/tor-relay-bootstrap/tree/master/etc/iptables -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
On Thursday, January 27, 2022 12:13:32 AM CET lists@for-privacy.net wrote: Oh, I forgot something
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
https://www.ietf.org/rfc/rfc4890.txt 4.3.3. Traffic That Will Be Dropped Anyway -- No Special Attention Needed Allow this ICMPv6 types only if the hop limit field is 255. (I can never remember the numbers, so I always use ICMPv6 type names) e.g.: -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
Best not to filter ICMPv6 at all. Or just ratelimit echo-request maybe also echo-reply. -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
participants (2)
-
ax8eaz7z3g -
lists@for-privacy.net