[tor-relays] Unbelieveable

Sean Greenslade sean at seangreenslade.com
Sun Dec 6 06:24:19 UTC 2015 

> > Check your firewall, and gateway port forwards if the server is
> > behind a NAT. If you're not sure where to start, post the output of
> > "sudo iptables -L"
> > 
> > --Sean
> > 
> I've made several iptables and saved them, I thought, however every
> time I reboot the VPS all my rules are gone.
> ~$ sudo iptables -L
> > Chain INPUT (policy ACCEPT) target     prot opt source
> > destination
> > 
> > Chain FORWARD (policy ACCEPT) target     prot opt source
> > destination
> > 
> > Chain OUTPUT (policy ACCEPT) target     prot opt source
> > destination
> 
> 
> but:
>  cat /etc/iptables.rules
> # Generated by iptables-save v1.4.21 on Fri Dec  4 04:30:56 2015
> *raw
> :PREROUTING ACCEPT [2424:210831]
> :OUTPUT ACCEPT [1856:540218]
> COMMIT
> # Completed on Fri Dec  4 04:30:56 2015
> # Generated by iptables-save v1.4.21 on Fri Dec  4 04:30:56 2015
> *nat
> :PREROUTING ACCEPT [229:8057]
> :POSTROUTING ACCEPT [86:5885]
> :OUTPUT ACCEPT [86:5885]
> COMMIT
> # Completed on Fri Dec  4 04:30:56 2015
> # Generated by iptables-save v1.4.21 on Fri Dec  4 04:30:56 2015
> *mangle
> :PREROUTING ACCEPT [2424:210831]
> :INPUT ACCEPT [2424:210831]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1856:540218]
> :POSTROUTING ACCEPT [1856:540218]
> COMMIT
> # Completed on Fri Dec  4 04:30:56 2015
> # Generated by iptables-save v1.4.21 on Fri Dec  4 04:30:56 2015
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [581:184073]
> - -A INPUT -i lo -j ACCEPT
> - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> - -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> - -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> - -A INPUT -p tcp -m tcp --dport 9052 -j ACCEPT
> - -A INPUT -p tcp -m tcp --dport 9051 -j ACCEPT
> - -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
> - -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT
> - -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> - -A INPUT -j DROP
> COMMIT
> # Completed on Fri Dec  4 04:30:56 2015
> 
> 
> > 3:/etc/network$ cat interfaces # This configuration file is
> > auto-generated. # # WARNING: Do not edit this file, your changes
> > will be lost. # Please create/edit /etc/network/interfaces.head
> > and # /etc/network/interfaces.tail instead, their contents will be 
> > # inserted at the beginning and at the end of this file,
> > respectively. # # NOTE: it is NOT guaranteed that the contents of
> > /etc/network/interfaces.tail # will be at the very end of this
> > file. #
> > 
> > # Auto generated lo interface auto lo iface lo inet loopback
> > 
> > # Auto generated venet0 interface auto venet0 iface venet0 inet
> > manual up ifconfig venet0 up up ifconfig venet0 127.0.0.2 up route
> > add default dev venet0 down route del default dev venet0 down
> > ifconfig venet0 down
> > 
> > 
> > iface venet0 inet6 manual up route -A inet6 add default dev venet0 
> > down route -A inet6 del default dev venet0
> > 
> > auto venet0:0 iface venet0:0 inet static address 167.114.35.28 
> > netmask 255.255.255.255
> 
> > cat sysctl.conf
> 
> > # Uncomment the next line to enable packet forwarding for IPv4 
> > net.ipv4.ip_forward=1
> > 
> > # Uncomment the next line to enable packet forwarding for IPv6 #
> > Enabling this option disables Stateless Address Autoconfiguration #
> > based on Router Advertisements for this host 
> > net.ipv6.conf.all.forwarding=1

iptables doesn't automatically load anything on boot; it starts with a
clean slate. Most distros have a preferred way of loading that save file
on boot, typically a service of some sort. Check your distro's docs for
the specifics.

But before you go enabling the firewall, verify that the tor process is
binding to the ports correctly. Restart the VPS, make sure tor is
running, then run the following:

"sudo lsof | grep LISTEN"

It should output something like this:

> sshd        398       root    3u     IPv4          104876616       0t0 TCP *:ssh (LISTEN)
> sshd        398       root    4u     IPv6          104876623       0t0 TCP *:ssh (LISTEN)
> tor        1129       _tor    6u     IPv4          105943714       0t0 TCP *:https (LISTEN)
> tor        1129       _tor    7u     IPv4          105943715       0t0 TCP *:http (LISTEN)
> tor        1129  1130 _tor    6u     IPv4          105943714       0t0 TCP *:https (LISTEN)
> tor        1129  1130 _tor    7u     IPv4          105943715       0t0 TCP *:http (LISTEN)

Note that I'm using the HTTP(S) ports for my relay, you should see the
ports you have selected for ORPort and DIRPort. Also note the asterisk
indicating that it is listening on all network interfaces. If it only
lists one specific interface, ensure that it is the correct
(internet-facing) interface.

--Sean

More information about the tor-relays mailing list