[tor-relays] wrong iptables rules? / no inbound traffic in nyx

lists at for-privacy.net lists at for-privacy.net
Thu Jan 27 00:27:23 UTC 2022


On Thursday, January 27, 2022 12:13:32 AM CET lists at for-privacy.net wrote:

Oh, I forgot something
> 
> > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
> > > 
> > > 
> > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
> > > 
> > > 
> > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
> > > 
> > > 
> > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
> > > 
> > > 
> > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
> > > 
> > > 
> > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
> > > 


https://www.ietf.org/rfc/rfc4890.txt
4.3.3.
Traffic That Will Be Dropped Anyway -- No Special Attention Needed

Allow this ICMPv6 types only if the hop limit field is 255.
(I can never remember the numbers, so I always use ICMPv6 type names)
e.g.:
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j 
ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j 
ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j 
ACCEPT

> > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
> > > 
> > > 
> > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
> > > 
> > > 
> > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
> > > 
> > > 
> > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
> > > 
> > > 

Best not to filter ICMPv6 at all. Or just ratelimit echo-request maybe also 
echo-reply.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20220127/5117fa4e/attachment.sig>


More information about the tor-relays mailing list