[tor-talk] tor setup on wt3020h with openwrt problem
Michal Zuber
michael at riseup.net
Mon Dec 29 07:00:45 UTC 2014
Hi,
1. what about the logs?
2. I have the following in my iptables.rules to be notified what was blocked
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
--log-level 7
3. `netstat -nat |grep :53` or `lsof -i :53` shows listening on port 53
?
(https://www.debian-administration.org/article/184/How_to_find_out_which_process_is_listening_upon_a_port)
4. Did you try host (dig, nslookup) on the router?
5. Doest `dig @ROUTER_IP google.com` work?
6. You could also try watch into the DNS traffic with ` tcpdump -vvv -s
0 -l -n port 53`
(http://jontai.me/blog/2011/11/monitoring-dns-queries-with-tcpdump/)
On 12/28/14 10:04 PM, Oğuz Yarımtepe wrote:
> Hum… Seems good so :'(
>> Can you dump your real current firewall entries ?
>>
>> And how do you connect your 3020 to your LAN ? RJ45 with DHCP ?
>>
>>
> Here is the iptables-save output
>
> I have and adsl modem. Connected to Internet. I plugged its lan port, to my
> new small router wt3020. And i am connecting to the new ssid. Betwrrn adsl
> and wt3020, there is rj45 and yes dhcp is active at the adsl modem.
>
> # Generated by iptables-save v1.4.21 on Sun Dec 28 10:30:12 2014
> *nat
> :PREROUTING ACCEPT [1:345]
> :INPUT ACCEPT [19:1522]
> :OUTPUT ACCEPT [201:14140]
> :POSTROUTING ACCEPT [201:14140]
> :delegate_postrouting - [0:0]
> :delegate_prerouting - [0:0]
> :postrouting_lan_rule - [0:0]
> :postrouting_rule - [0:0]
> :postrouting_transtor_rule - [0:0]
> :postrouting_wan_rule - [0:0]
> :prerouting_lan_rule - [0:0]
> :prerouting_rule - [0:0]
> :prerouting_transtor_rule - [0:0]
> :prerouting_wan_rule - [0:0]
> :zone_lan_postrouting - [0:0]
> :zone_lan_prerouting - [0:0]
> :zone_transtor_postrouting - [0:0]
> :zone_transtor_prerouting - [0:0]
> :zone_wan_postrouting - [0:0]
> :zone_wan_prerouting - [0:0]
> -A PREROUTING -j delegate_prerouting
> -A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
> -A PREROUTING -i wlan0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j
> REDIRECT --to-ports 9040
> -A OUTPUT -d 10.192.0.0/10 -p tcp -j REDIRECT --to-ports 9040
> -A POSTROUTING -j delegate_postrouting
> -A delegate_postrouting -m comment --comment "user chain for postrouting"
> -j postrouting_rule
> -A delegate_postrouting -o br-lan -j zone_lan_postrouting
> -A delegate_postrouting -o eth0.2 -j zone_wan_postrouting
> -A delegate_prerouting -m comment --comment "user chain for prerouting" -j
> prerouting_rule
> -A delegate_prerouting -i br-lan -j zone_lan_prerouting
> -A delegate_prerouting -i eth0.2 -j zone_wan_prerouting
> -A zone_lan_postrouting -m comment --comment "user chain for postrouting"
> -j postrouting_lan_rule
> -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j
> prerouting_lan_rule
> -A zone_transtor_postrouting -m comment --comment "user chain for
> postrouting" -j postrouting_transtor_rule
> -A zone_transtor_prerouting -m comment --comment "user chain for
> prerouting" -j prerouting_transtor_rule
> -A zone_wan_postrouting -m comment --comment "user chain for postrouting"
> -j postrouting_wan_rule
> -A zone_wan_postrouting -j MASQUERADE
> -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j
> prerouting_wan_rule
> COMMIT
> # Completed on Sun Dec 28 10:30:12 2014
> # Generated by iptables-save v1.4.21 on Sun Dec 28 10:30:12 2014
> *raw
> :PREROUTING ACCEPT [689:59343]
> :OUTPUT ACCEPT [556:45097]
> :delegate_notrack - [0:0]
> :zone_lan_notrack - [0:0]
> -A PREROUTING -j delegate_notrack
> -A delegate_notrack -i br-lan -j zone_lan_notrack
> -A zone_lan_notrack -j CT --notrack
> COMMIT
> # Completed on Sun Dec 28 10:30:12 2014
> # Generated by iptables-save v1.4.21 on Sun Dec 28 10:30:12 2014
> *mangle
> :PREROUTING ACCEPT [689:59343]
> :INPUT ACCEPT [621:51385]
> :FORWARD ACCEPT [17:1020]
> :OUTPUT ACCEPT [556:45097]
> :POSTROUTING ACCEPT [556:45097]
> :fwmark - [0:0]
> :mssfix - [0:0]
> -A PREROUTING -j fwmark
> -A FORWARD -j mssfix
> -A mssfix -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment
> --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
> COMMIT
> # Completed on Sun Dec 28 10:30:12 2014
> # Generated by iptables-save v1.4.21 on Sun Dec 28 10:30:12 2014
> *filter
> :INPUT ACCEPT [33:2723]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [2:702]
> :delegate_forward - [0:0]
> :delegate_input - [0:0]
> :delegate_output - [0:0]
> :forwarding_lan_rule - [0:0]
> :forwarding_rule - [0:0]
> :forwarding_transtor_rule - [0:0]
> :forwarding_wan_rule - [0:0]
> :input_lan_rule - [0:0]
> :input_rule - [0:0]
> :input_transtor_rule - [0:0]
> :input_wan_rule - [0:0]
> :output_lan_rule - [0:0]
> :output_rule - [0:0]
> :output_transtor_rule - [0:0]
> :output_wan_rule - [0:0]
> :reject - [0:0]
> :syn_flood - [0:0]
> :zone_lan_dest_ACCEPT - [0:0]
> :zone_lan_forward - [0:0]
> :zone_lan_input - [0:0]
> :zone_lan_output - [0:0]
> :zone_lan_src_ACCEPT - [0:0]
> :zone_transtor_dest_ACCEPT - [0:0]
> :zone_transtor_dest_REJECT - [0:0]
> :zone_transtor_forward - [0:0]
> :zone_transtor_input - [0:0]
> :zone_transtor_output - [0:0]
> :zone_transtor_src_REJECT - [0:0]
> :zone_wan_dest_ACCEPT - [0:0]
> :zone_wan_dest_REJECT - [0:0]
> :zone_wan_forward - [0:0]
> :zone_wan_input - [0:0]
> :zone_wan_output - [0:0]
> :zone_wan_src_REJECT - [0:0]
> -A INPUT -j delegate_input
> -A FORWARD -j delegate_forward
> -A OUTPUT -j delegate_output
> -A delegate_forward -m comment --comment "user chain for forwarding" -j
> forwarding_rule
> -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A delegate_forward -i br-lan -j zone_lan_forward
> -A delegate_forward -i eth0.2 -j zone_wan_forward
> -A delegate_forward -j reject
> -A delegate_input -i lo -j ACCEPT
> -A delegate_input -m comment --comment "user chain for input" -j input_rule
> -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
> -A delegate_input -i br-lan -j zone_lan_input
> -A delegate_input -i eth0.2 -j zone_wan_input
> -A delegate_output -o lo -j ACCEPT
> -A delegate_output -m comment --comment "user chain for output" -j
> output_rule
> -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A delegate_output -o br-lan -j zone_lan_output
> -A delegate_output -o eth0.2 -j zone_wan_output
> -A reject -p tcp -j REJECT --reject-with tcp-reset
> -A reject -j REJECT --reject-with icmp-port-unreachable
> -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit
> 25/sec --limit-burst 50 -j RETURN
> -A syn_flood -j DROP
> -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
> -A zone_lan_forward -m comment --comment "user chain for forwarding" -j
> forwarding_lan_rule
> -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment
> "Accept port forwards" -j ACCEPT
> -A zone_lan_forward -j zone_lan_dest_ACCEPT
> -A zone_lan_input -m comment --comment "user chain for input" -j
> input_lan_rule
> -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept
> port redirections" -j ACCEPT
> -A zone_lan_input -j zone_lan_src_ACCEPT
> -A zone_lan_output -m comment --comment "user chain for output" -j
> output_lan_rule
> -A zone_lan_output -j zone_lan_dest_ACCEPT
> -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
> -A zone_transtor_forward -m comment --comment "user chain for forwarding"
> -j forwarding_transtor_rule
> -A zone_transtor_forward -m conntrack --ctstate DNAT -m comment --comment
> "Accept port forwards" -j ACCEPT
> -A zone_transtor_forward -j zone_transtor_dest_REJECT
> -A zone_transtor_input -m comment --comment "user chain for input" -j
> input_transtor_rule
> -A zone_transtor_input -p udp -m udp --dport 67 -m comment --comment
> Allow-Tor-DHCP -j ACCEPT
> -A zone_transtor_input -p tcp -m tcp --dport 9040 -m comment --comment
> Allow-Tor-Transparent -j ACCEPT
> -A zone_transtor_input -p udp -m udp --dport 9053 -m comment --comment
> Allow-Tor-DNS -j ACCEPT
> -A zone_transtor_input -m conntrack --ctstate DNAT -m comment --comment
> "Accept port redirections" -j ACCEPT
> -A zone_transtor_input -j zone_transtor_src_REJECT
> -A zone_transtor_output -m comment --comment "user chain for output" -j
> output_transtor_rule
> -A zone_transtor_output -j zone_transtor_dest_ACCEPT
> -A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT
> -A zone_wan_dest_REJECT -o eth0.2 -j reject
> -A zone_wan_forward -m comment --comment "user chain for forwarding" -j
> forwarding_wan_rule
> -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment
> "Accept port forwards" -j ACCEPT
> -A zone_wan_forward -j zone_wan_dest_REJECT
> -A zone_wan_input -m comment --comment "user chain for input" -j
> input_wan_rule
> -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment
> Allow-DHCP-Renew -j ACCEPT
> -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment
> Allow-Ping -j ACCEPT
> -A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment "@rule[5]"
> -j ACCEPT
> -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept
> port redirections" -j ACCEPT
> -A zone_wan_input -j zone_wan_src_REJECT
> -A zone_wan_output -m comment --comment "user chain for output" -j
> output_wan_rule
> -A zone_wan_output -j zone_wan_dest_ACCEPT
> -A zone_wan_src_REJECT -i eth0.2 -j reject
> COMMIT
> # Completed on Sun Dec 28 10:30:12 2014
>
>
>
>
>> --
>> Aeris
>>
>> Protégez votre vie privée, chiffrez vos communications
>> GPG : EFB74277 ECE4E222
>> OTR : 5769616D 2D3DAC72
>> https://café-vie-privée.fr/ <https://xn--caf-vie-prive-dhbj.fr/>
>>
>> --
>> tor-talk mailing list - tor-talk at lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
>>
>
More information about the tor-talk
mailing list