[tor-relays] How to prevent netscan usage?

Roland 'ValiDOM' Jungnickel vali2015 at validom.de
Sun Feb 7 20:17:59 UTC 2016

Am 28.11.2015 um 10:20 schrieb grarpamp:
>> First rule is to use some firewall
> No it is not, do not do this.
> An exit needs to pass the traffic that its exitpolicy says it will pass.
> Otherwise bad things happen with circuit construction and your exit
> gets badmouthed by users possibly to the point of being banned. If
> you can't provide an exitpolicy that works as written, then don't provide it.

Unfortunately, I had to do so. The below firewall rule was active for
approx one month. During this time, exit-traffic did not decrease nor
did I recognise any other negative effect. During this time, I got no
new issues with my ISP. Last week, after some patches I rebooted the
server and forgot to apply the rules again. Within 3 days, my ISP
blocked the server once more because of netscan abuse....

So to say... these rules work. But most probably somebody with more
iptables experience might adjust them to be even more effective AND less

iptables -N ONEW
iptables -A ONEW -o lo -j ACCEPT
iptables -A ONEW -p udp --dport 53 -m limit --limit 2/sec --limit-burst
iptables -A ONEW -p udp --dport 80 -m limit --limit 2/sec --limit-burst
iptables -A ONEW -m hashlimit --hashlimit-upto 1/second --hashlimit-mode
dstip --hashlimit-dstmask 24 --hashlimit-name ONEW -j ACCEPT
iptables -A ONEW -m limit --limit 1/sec -j LOG --log-prefix "REJECTED: "
iptables -A ONEW -j REJECT --reject-with icmp-admin-prohibited


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160207/5f4ed4ad/attachment-0001.sig>

More information about the tor-relays mailing list