[tor-talk] Tor and firewall output rules

Anton Korec anton.korec at tritony.org
Thu Jun 28 15:44:25 UTC 2012


Hi,

I'm new to this list, so I apologise when my problem has been solved already. 

I'm runing new tor router as a non-exit relay, with ORPort 443 and DirPort 80. 
Server is running on Debian stable and tor version is 0.2.2.35. Tor is running 
under debian-tor user. I have restrictive iptables firewall rules (in both 
directions, INPUT and OUTPUT). I do not like fw rules of type "all outgoing is 
allowed". So I set fw up as found somewhere on torproject.org wiki, with 
"-m owner --uid-owner debian-tor":

IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP
...
...
IPTABLES -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 --sport 1024: -d ${MYIP} --dport 
	443 -m state --state NEW,ESTABLISHED -j ACCEPT
IPTABLES -A OUTPUT -o eth0 -p tcp -s ${MYIP} -d 0.0.0.0/0 -m state --state 		
	NEW,ESTABLISHED -m owner --uid-owner debian-tor -j ACCEPT

In such configuration fw has been dropping large numbers of packets with uid 0 
and packets with no uid set. And it seems that there was almost no tor traffic 
on relay. So I changed OUTPUT rule to:

IPTABLES -A OUTPUT -o eth0 -p tcp -s ${MYIP} -d 0.0.0.0/0 -m state --state 		
	NEW,ESTABLISHED -j ACCEPT

and everything worked fine.
I tried to use 0.2.2.37, 0.2.3.17-beta precompiled deb packages, tried to 
compile from source downloaded from torproject.org, but packet dropping was 
the same on every version of tor.
Last thing I did, was update fw rules to:

IPTABLES -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 --sport 1024: -d ${MYIP} --dport 
	443 -m state --state NEW,ESTABLISHED -j ACCEPT
IPTABLES -A OUTPUT -o eth0 -p tcp -s ${MYIP} -d 0.0.0.0/0 -m state --state 		
	NEW,ESTABLISHED -m owner --uid-owner debian-tor -j ACCEPT
IPTABLES -A OUTPUT -o eth0 -p tcp -s ${MYIP} -d 0.0.0.0/0 -m state --state 		
	NEW,ESTABLISHED -j ACCEPT

to count packets traversing each OUTPUT rule (with and without uid to "debian-
tor" set). 22% of all packets (it is 11% of bytes of that traffic) sent by tor 
relay was uid not set to "debian-tor".

Why is tor sending packets with uid not set to "debian-tor"?

Regards
Tony




More information about the tor-talk mailing list