[tor-talk] tor setup on wt3020h with openwrt problem

Oğuz Yarımtepe oguzyarimtepe at gmail.com
Mon Dec 29 18:45:44 UTC 2014


Hi,

On Mon, Dec 29, 2014 at 9:00 AM, Michal Zuber <michael at riseup.net> wrote:

> Hi,
> 1. what about the logs?
>


> 2. I have the following in my iptables.rules to be notified what was
> blocked
> -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
> --log-level 7
>
>
I added this to firewall.user and saw that UDP messages are somehow blocked.

[ 2539.100000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=38735 DF PROTO=UDP
SPT=48397 DPT=9053 LEN=46
[ 2550.550000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=40926 DF PROTO=UDP
SPT=47905 DPT=9053 LEN=50
[ 2563.880000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=43508 DF PROTO=UDP
SPT=37506 DPT=9053 LEN=44
[ 2574.950000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=54347 DF PROTO=UDP
SPT=28425 DPT=9053 LEN=50
[ 2586.200000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=46793 DF PROTO=UDP
SPT=37394 DPT=9053 LEN=46
[ 2598.680000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=48473 DF PROTO=UDP
SPT=57058 DPT=9053 LEN=44
[ 2611.290000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
DST=192.168.2.1 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=58998 DF PROTO=UDP
SPT=58128 DPT=9053 LEN=48






> 3. `netstat -nat |grep :53` or `lsof -i :53` shows listening on port 53 ? (
> https://www.debian-administration.org/article/184/How_to_find_out_which_
> process_is_listening_upon_a_port)
> 4. Did you try host (dig, nslookup) on the router?
> 5. Doest `dig @ROUTER_IP google.com` work?
> 6. You could also try watch into the DNS traffic with ` tcpdump -vvv -s 0
> -l -n port 53` (http://jontai.me/blog/2011/11/monitoring-dns-queries-
> with-tcpdump/)



route -n was strange

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
br-lan
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0
wlan0

netstat -pantu says the ports are right

 netstat -pantu
 Active Internet connections (servers and established)
 Proto Recv-Q Send-Q Local Address           Foreign Address
State       PID/Program name
 tcp        0      0 192.168.2.1:9040        0.0.0.0:*
LISTEN      734/tor
 tcp        0      0 0.0.0.0:80              0.0.0.0:*
LISTEN      756/uhttpd
 tcp        0      0 0.0.0.0:53              0.0.0.0:*
LISTEN      1059/dnsmasq
 tcp        0      0 0.0.0.0:22              0.0.0.0:*
LISTEN      699/dropbear
 tcp        0      0 0.0.0.0:443             0.0.0.0:*
LISTEN      734/tor
 tcp        0    248 192.168.2.1:22          192.168.2.171:44694
ESTABLISHED 1062/dropbear
 tcp        0      0 :::80                   :::*
LISTEN      756/uhttpd
 tcp        0      0 :::53                   :::*
LISTEN      1059/dnsmasq
 tcp        0      0 :::22                   :::*
LISTEN      699/dropbear
 udp        0      0 0.0.0.0:53              0.0.0.0:*
1059/dnsmasq
 udp        0      0 0.0.0.0:67              0.0.0.0:*
1059/dnsmasq
 udp        0      0 192.168.2.1:9053        0.0.0.0:*
734/tor
 udp        0      0 :::546
:::*                                812/odhcp6c
 udp        0      0 :::547
:::*                                669/odhcpd
 udp        0      0 :::53
:::*                                1059/dnsmasq
~

here is iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
delegate_input  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             limit: avg
5/min burst 5 LOG level debug prefix "iptables denied: "

Chain FORWARD (policy DROP)
target     prot opt source               destination
delegate_forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
delegate_output  all  --  anywhere             anywhere

Chain delegate_forward (1 references)
target     prot opt source               destination
forwarding_rule  all  --  anywhere             anywhere             /* user
chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
zone_lan_forward  all  --  anywhere             anywhere
zone_wan_forward  all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain delegate_input (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
input_rule  all  --  anywhere             anywhere             /* user
chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
syn_flood  tcp  --  anywhere             anywhere             tcp
flags:FIN,SYN,RST,ACK/SYN
zone_lan_input  all  --  anywhere             anywhere
zone_wan_input  all  --  anywhere             anywhere

Chain delegate_output (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
output_rule  all  --  anywhere             anywhere             /* user
chain for output */
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
zone_lan_output  all  --  anywhere             anywhere
zone_wan_output  all  --  anywhere             anywhere

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_transtor_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination

Chain input_lan_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_transtor_rule (1 references)
target     prot opt source               destination

Chain input_wan_rule (1 references)
target     prot opt source               destination

Chain output_lan_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

Chain output_transtor_rule (1 references)
target     prot opt source               destination

Chain output_wan_rule (1 references)
target     prot opt source               destination

Chain reject (3 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere             reject-with
tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with
icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcp
flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP       all  --  anywhere             anywhere

Chain zone_lan_dest_ACCEPT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all  --  anywhere             anywhere             /*
user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
/* Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere

Chain zone_lan_input (1 references)
target     prot opt source               destination
input_lan_rule  all  --  anywhere             anywhere             /* user
chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
/* Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere

Chain zone_lan_output (1 references)
target     prot opt source               destination
output_lan_rule  all  --  anywhere             anywhere             /* user
chain for output */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain zone_transtor_dest_ACCEPT (1 references)
target     prot opt source               destination

Chain zone_transtor_dest_REJECT (1 references)
target     prot opt source               destination

Chain zone_transtor_forward (0 references)
target     prot opt source               destination
forwarding_transtor_rule  all  --  anywhere
anywhere             /* user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
/* Accept port forwards */
zone_transtor_dest_REJECT  all  --  anywhere
anywhere

Chain zone_transtor_input (0 references)
target     prot opt source               destination
input_transtor_rule  all  --  anywhere             anywhere             /*
user chain for input */
ACCEPT     udp  --  anywhere             anywhere             udp
dpt:bootps /* Allow-Tor-DHCP */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9040
/* Allow-Tor-Transparent */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:9053
/* Allow-Tor-DNS */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
/* Accept port redirections */
zone_transtor_src_REJECT  all  --  anywhere             anywhere

Chain zone_transtor_output (0 references)
target     prot opt source               destination
output_transtor_rule  all  --  anywhere             anywhere             /*
user chain for output */
zone_transtor_dest_ACCEPT  all  --  anywhere
anywhere

Chain zone_transtor_src_REJECT (1 references)
target     prot opt source               destination

Chain zone_wan_dest_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere

Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan_rule  all  --  anywhere             anywhere             /*
user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
/* Accept port forwards */
zone_wan_dest_REJECT  all  --  anywhere             anywhere

Chain zone_wan_input (1 references)
target     prot opt source               destination
input_wan_rule  all  --  anywhere             anywhere             /* user
chain for input */
ACCEPT     udp  --  anywhere             anywhere             udp
dpt:bootpc /* Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp
echo-request /* Allow-Ping */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
/* @rule[5] */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
/* Accept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere

Chain zone_wan_output (1 references)
target     prot opt source               destination
output_wan_rule  all  --  anywhere             anywhere             /* user
chain for output */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere


I started to lost my Internet connection for other adsl users. When they
connected to normal adsl ssid while the tor router is plugged, they started
to lost connection.

Seems there is a firewall or network problem.

Anyone can figure it out?


More information about the tor-talk mailing list