[tor-relays] How to prevent netscan usage?
Roland 'ValiDOM' Jungnickel
vali2015 at validom.de
Sun Feb 7 20:17:59 UTC 2016
Am 28.11.2015 um 10:20 schrieb grarpamp:
>> First rule is to use some firewall
>
> No it is not, do not do this.
> An exit needs to pass the traffic that its exitpolicy says it will pass.
> Otherwise bad things happen with circuit construction and your exit
> gets badmouthed by users possibly to the point of being banned. If
> you can't provide an exitpolicy that works as written, then don't provide it.
Unfortunately, I had to do so. The below firewall rule was active for
approx one month. During this time, exit-traffic did not decrease nor
did I recognise any other negative effect. During this time, I got no
new issues with my ISP. Last week, after some patches I rebooted the
server and forgot to apply the rules again. Within 3 days, my ISP
blocked the server once more because of netscan abuse....
So to say... these rules work. But most probably somebody with more
iptables experience might adjust them to be even more effective AND less
"problematic".
iptables -N ONEW
iptables -A ONEW -o lo -j ACCEPT
iptables -A ONEW -p udp --dport 53 -m limit --limit 2/sec --limit-burst
5 -j ACCEPT
iptables -A ONEW -p udp --dport 80 -m limit --limit 2/sec --limit-burst
5 -j ACCEPT
iptables -A ONEW -m hashlimit --hashlimit-upto 1/second --hashlimit-mode
dstip --hashlimit-dstmask 24 --hashlimit-name ONEW -j ACCEPT
iptables -A ONEW -m limit --limit 1/sec -j LOG --log-prefix "REJECTED: "
iptables -A ONEW -j REJECT --reject-with icmp-admin-prohibited
Thx
Vali
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160207/5f4ed4ad/attachment-0001.sig>
More information about the tor-relays
mailing list