[tor-relays] does it make sense to close unused ports at a tor relay with iptables ?

Dr Gerard Bulger gerard at bulger.co.uk
Thu Apr 28 13:33:38 UTC 2016

The likes of GRC.COM make you think that any port not blocked, stealth is bad.  I wondered why if nothing there.  But you can never be certain there is nothing.

I have my TOR Exit node on separate IP form my main server, shared on eth0 as eth0:1
I would like to close as many ports as possible on the second TOR IP, including stopping ping, but the VPS settings of the firewall opens up ports per interface, which is not much good.

I have hunted around for days and cannot find an answer, probably because it is bleeding obvious:  
What's the IP chains command that opens ports per server IP address?

Currently the rules are thus: 
-A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9051 -j ACCEPT
Which opens up those TOR ports on BOTH my IPs, not what I want (OK torrc is listening to the second IP, but that is fiddly to set up for each service)

I want my normal ports to be open on 1st IP and shut on second IP.  

Apologies that IPCHAINS little off topic.

-----Original Message-----
From: tor-relays [mailto:tor-relays-bounces at lists.torproject.org] On Behalf Of Tim Wilson-Brown - teor
Sent: 28 April 2016 10:29
To: tor-relays at lists.torproject.org
Subject: Re: [tor-relays] does it make sense to close unused ports at a tor relay with iptables ?

> On 28 Apr 2016, at 19:18, Toralf Förster <toralf.foerster at gmx.de> wrote:
> Signed PGP part
> On 04/28/2016 11:14 AM, Tim Wilson-Brown - teor wrote:
> > Ports in, or ports out?
> Ports in I meant, sry.
> > Closing inbound ports is a security precaution
> The question is - if there's no program listening on that port, does filtering that in-port has any effect ?

Normally, when there is a connection attempt to a closed port, your OS will reply and let the other end know the port is closed.
With iptables, you can blackhole (drop) these requests instead.
Or you can log them.


Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

More information about the tor-relays mailing list