[tor-relays] Getting drops with iptables "-m state --state INVALID" in INPUT and OUTPUT chains on relay

fr33d0m4all fr33d0m4all at riseup.net
Thu Apr 7 17:23:48 UTC 2016

Hi… I've noticed that the iptables rule "-m state --state INVALID -j
DROP" applied both to INPUT and OUTPUT chains on my raspbian Tor relay
drops some connections… is it normal and should I avoid dropping "—state
INVALID" connections when the destination or source is the Tor process
on the relay? It's strange to have them also in the outgoing chain (i.e.
produced by the relay), unless its is related to how Tor works (I'm
almost sure that the connections dropped by the OUTPUT rule are related
to the Tor process).

It's not a matter of conntrack entries, it's using only 61 entries and
has a lot of them free.

Drop log in the OUTPUT direction => why is my relay sending a packet
with ACK PSH FIN flags?

iptables-OUT-INVALID-DENIED: IN= OUT=eth0 SRC=10.x.x.x DST=37.x.x.x
LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=24372 DF PROTO=TCP SPT=33423

Drop log in the INPUT direction => This could be a correct drop due to a
new connection with RST flag, I think:

iptables-IN-INVALID-DENIED: IN=eth0 OUT= SRC=91.x.x.x DST=10.x.x.x
LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=TCP SPT=15754 DPT=9090

Best regards,



 PGP Key: 0DA8 7293 D561 3AEE A3C0  7F63 101F 316A F30E ECB4
 IRC Nick: fr33d0m4all (OFTC & Freenode)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160407/c075476e/attachment.sig>

More information about the tor-relays mailing list