[tor-relays] Getting drops with iptables "-m state --state INVALID" in INPUT and OUTPUT chains on relay
fr33d0m4all at riseup.net
Thu Apr 7 17:23:48 UTC 2016
Hi… I've noticed that the iptables rule "-m state --state INVALID -j
DROP" applied both to INPUT and OUTPUT chains on my raspbian Tor relay
drops some connections… is it normal and should I avoid dropping "—state
INVALID" connections when the destination or source is the Tor process
on the relay? It's strange to have them also in the outgoing chain (i.e.
produced by the relay), unless its is related to how Tor works (I'm
almost sure that the connections dropped by the OUTPUT rule are related
to the Tor process).
It's not a matter of conntrack entries, it's using only 61 entries and
has a lot of them free.
Drop log in the OUTPUT direction => why is my relay sending a packet
with ACK PSH FIN flags?
iptables-OUT-INVALID-DENIED: IN= OUT=eth0 SRC=10.x.x.x DST=37.x.x.x
LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=24372 DF PROTO=TCP SPT=33423
DPT=9001 WINDOW=321 RES=0x00 ACK PSH FIN URGP=0
Drop log in the INPUT direction => This could be a correct drop due to a
new connection with RST flag, I think:
iptables-IN-INVALID-DENIED: IN=eth0 OUT= SRC=91.x.x.x DST=10.x.x.x
LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=TCP SPT=15754 DPT=9090
WINDOW=0 RES=0x00 RST URGP=0
PGP Key: 0DA8 7293 D561 3AEE A3C0 7F63 101F 316A F30E ECB4
IRC Nick: fr33d0m4all (OFTC & Freenode)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the tor-relays