[tor-relays] Exit policy reject fails

Josef Stautner hello at veloc1ty.de
Mon Oct 19 21:03:24 UTC 2015

Hello @all,

I have a probleme with an reject rule which seems to fail.
Due to an message from WebIron against my exit relay I wanted to block a
subnet. My exit policy looks like this:

ExitPolicy accept *:53        # DNS
ExitPolicy accept *:80        # HTTP
ExitPolicy accept *:8080      # HTTP 2
ExitPolicy accept *:443       # HTTPS
ExitPolicy reject # WebIron report
ExitPolicy reject *:*

After I added the reject rule I reloaded tor and thought the case is
done. But WebIron keeps sending me messages because of "ongoing attacks"
against a host in that subnet. Of course I trusted the reject rule and
ignored them. After the 6th mail I got suspicious and added an iptables
ACCEPT rule in my OUTPUT chain to have a look if there is really a
traffic flow. I just received another mail and checked the packet counter:

Chain OUTPUT (policy ACCEPT 116M packets, 159G bytes)
num   pkts bytes target     prot opt in     out     source              
2      142  8304 ACCEPT     all  --  *      *
        /* WebIron Block check */

There is traffic flowing from my relay IP to the subnet. Can
somebody please hint me what I'm doing wrong?
Link to the relay in case you need more information:

Thanks in advance,

More information about the tor-relays mailing list