[tor-relays] Exit policy reject fails
spiros_spiros at freemail.gr
spiros_spiros at freemail.gr
Mon Oct 19 21:21:06 UTC 2015
Hi Josef,
I think you must put any reject entries above the accept because the rules read from top to bottom.
Also, I don't know if this make any difference at all, but I also put port in my torrc like this :
ExitPolicy reject 195.113.0.0/16:* #comment here
S
On 19 Oct 2015, at 22:03, Josef Stautner <hello at veloc1ty.de> wrote:
Hello @all,
I have a probleme with an reject rule which seems to fail.
Due to an message from WebIron against my exit relay I wanted to block a
subnet. My exit policy looks like this:
ExitPolicy accept *:53 # DNS
ExitPolicy accept *:80 # HTTP
ExitPolicy accept *:8080 # HTTP 2
ExitPolicy accept *:443 # HTTPS
ExitPolicy reject 5.133.182.0/24 # WebIron report
ExitPolicy reject *:*
After I added the reject rule I reloaded tor and thought the case is
done. But WebIron keeps sending me messages because of "ongoing attacks"
against a host in that subnet. Of course I trusted the reject rule and
ignored them. After the 6th mail I got suspicious and added an iptables
ACCEPT rule in my OUTPUT chain to have a look if there is really a
traffic flow. I just received another mail and checked the packet counter:
Chain OUTPUT (policy ACCEPT 116M packets, 159G bytes)
num pkts bytes target prot opt in out source
destination
2 142 8304 ACCEPT all -- * * 31.220.45.6/32
5.133.182.0/24 /* WebIron Block check */
There is traffic flowing from my relay IP 31.220.45.6 to the subnet. Can
somebody please hint me what I'm doing wrong?
Link to the relay in case you need more information:
https://atlas.torproject.org/#details/29E3D95332812F81F67FF31B3B1B842683D1C309
Thanks in advance,
~Josef
_______________________________________________
tor-relays mailing list
tor-relays at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
More information about the tor-relays
mailing list