How to Run High Capacity Tor Relays
Mike Perry
mikeperry at fscked.org
Thu Aug 26 21:31:30 UTC 2010
Thus spake Mike Perry (mikeperry at fscked.org):
> > > net.netfilter.nf_conntrack_tcp_timeout_established=7200
> > > net.netfilter.nf_conntrack_checksum=0
> > > net.netfilter.nf_conntrack_max=131072
> > > net.netfilter.nf_conntrack_tcp_timeout_syn_sent=15
> >
> > ^- best to just disable conntrack altogether if you can. -J NOTRACK in
> > the raw table as appropriate.
> > you're going to each up lots of memory with a decent nf|ip_conntrack_max
> > ( check /proc/sys/net/ipv4/netfilter/ip_conntrack_max , etc )
>
> Will this remove the ability to do PREROUTING DNAT rules? I know a lot
> of Tor nodes forward ports and even IPs around.
>
> Good suggestion though. Perhaps we should mention both options in the
> final draft.
Actually, I learned the hard way that if you ACCEPT
RELATED,ESTABLISHED in your iptables rules, you also need conntrack,
otherwise your box will accept no data. It should have been obvious in
retrospect, I guess.
Do you have suggestions on how to rewrite firewall rules without using
RELATED,ESTABLISHED? My primary goal is to prevent access to other
ports, which I believe can be done with:
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
However, this obviously doesn't cover udp. Also, my secondary goal is
to slow down port scanning of the machine. I'm guessing a simple SYN
filter rule like this might still allow other scan types to work
without issue. What else can be done to eliminate those?
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20100826/12e823f5/attachment.pgp>
More information about the tor-relays
mailing list