[tor-talk] tor setup on wt3020h with openwrt problem
Michal Zuber
michael at riseup.net
Sat Jan 3 09:11:31 UTC 2015
What's in the logs?
Did you check what does iptables DROP, REJECT?
To check DNS resolving try `dig @DNS_SERVER_IP google.com`
On 1/2/15 11:54 PM, Oğuz Yarımtepe wrote:
> I changed the firewall rules.
>
> /etc/firewall.user
>
> This file is interpreted as shell script.
> # Put your custom iptables rules here, they will
> # be executed with each firewall (re-)start.
>
> # Internal uci firewall chains are flushed and recreated on reload, so
> # put custom rules into the root chains e.g. INPUT or FORWARD or into the
> # special user chains, e.g. input_wan_rule or postrouting_lan_rule.
> #iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
> denied: " --log-level 7
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 22 -j ACCEPT
>
> iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT
> --to-ports 9053
> iptables -t nat -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
> -j REDIRECT --to-ports 9040
> #iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports
> 9040
>
>
> /etc/config/firewall
>
>
> config defaults
> option syn_flood 1
> option input ACCEPT
> option output ACCEPT
> option forward ACCEPT
> # Uncomment this line to disable ipv6 rules
> option disable_ipv6 1
>
> config zone
> option name 'lan'
> option input 'ACCEPT'
> option output 'ACCEPT'
> option forward 'ACCEPT'
> option network 'lan'
>
> config zone
> option name wan
> list network 'wan'
> option input ACCEPT
> option output ACCEPT
> option forward ACCEPT
> option masq 1
> option mtu_fix 1
>
>
> config zone
> option name transtor
> option input ACCEPT
> option output ACCEPT
> option forward ACCEPT
> #option syn_flood 1
> option conntrack 1 #this setting is mandatory
>
> # Allow Transparent clients the ability to DHCP an address
> # XXX TODO: Audit this to ensure it doesn't leak UDP port 67 to the net!
> config rule
> option name 'Allow-Tor-DHCP'
> option src transtor
> option proto udp
> option dest_port 67
> option target ACCEPT
> # Tor transparent-proxy-port (set in /etc/tor/torrc)
> config rule
> option name 'Allow-Tor-Transparent'
> option src transtor
> option proto tcp
> option dest_port 9040
> option target ACCEPT
> # Tor DNS-proxy-port (set in /etc/tor/torrc)
> config rule
> option name 'Allow-Tor-DNS'
> option src transtor
> option proto udp
> option dest_port 9053
> option target ACCEPT
>
> #config rule
> # option name 'Allow-DHCP-Renew'
> # option src 'transtor'
> # option proto 'wan'
> # option dest_port '68'
> # option target 'ACCEPT'
> # option family 'ipv4'
>
> config forwarding
> option src wan
> option dst lan
>
> config include
> option path '/etc/firewall.user'
>
> netstat -pantu
>
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State PID/Program name
> tcp 0 0 192.168.2.1:9040 0.0.0.0:*
> LISTEN 883/tor
> tcp 0 0 127.0.0.1:9040 0.0.0.0:*
> LISTEN 883/tor
> tcp 0 0 0.0.0.0:80 0.0.0.0:*
> LISTEN 911/uhttpd
> tcp 0 0 0.0.0.0:53 0.0.0.0:*
> LISTEN 1016/dnsmasq
> tcp 0 0 0.0.0.0:22 0.0.0.0:*
> LISTEN 700/dropbear
> tcp 0 0 192.168.2.1:9050 0.0.0.0:*
> LISTEN 883/tor
> tcp 0 0 192.168.2.1:9040 192.168.2.171:39140
> ESTABLISHED 883/tor
> tcp 0 0 192.168.1.104:56891 216.17.99.144:9001
> ESTABLISHED 883/tor
> tcp 0 0 192.168.2.1:9040 192.168.2.171:33555
> ESTABLISHED 883/tor
> tcp 0 0 192.168.1.104:55734 171.25.193.9:80
> TIME_WAIT -
> tcp 0 0 192.168.2.1:22 192.168.2.171:38308
> ESTABLISHED 1147/dropbear
> tcp 0 0 192.168.2.1:9040 192.168.2.171:53402
> ESTABLISHED 883/tor
> tcp 0 0 192.168.2.1:9040 192.168.2.171:39141
> ESTABLISHED 883/tor
> tcp 0 0 192.168.1.104:54953 154.35.32.5:443
> TIME_WAIT -
> tcp 0 0 192.168.1.104:51428 86.59.119.83:443
> ESTABLISHED 883/tor
> tcp 0 0 192.168.1.104:48492 37.143.86.26:443
> ESTABLISHED 883/tor
> tcp 0 0 :::80 :::*
> LISTEN 911/uhttpd
> tcp 0 0 :::53 :::*
> LISTEN 1016/dnsmasq
> tcp 0 0 :::22 :::*
> LISTEN 700/dropbear
> udp 0 0 0.0.0.0:53 0.0.0.0:*
> 1016/dnsmasq
> udp 0 0 0.0.0.0:67 0.0.0.0:*
> 1016/dnsmasq
> udp 0 0 192.168.2.1:9053 0.0.0.0:*
> 883/tor
> udp 0 0 127.0.0.1:9053 0.0.0.0:*
> 883/tor
> udp 0 0 :::546
> :::* 764/odhcp6c
> udp 0 0 :::547
> :::* 674/odhcpd
> udp 0 0 :::53
> :::* 1016/dnsmasq
>
>
> When i entered https://check.torproject.org/, it says i am using tor. But
> when i entered i http://whatismyipaddress.com/ i still see my ADSL ip not
> the one tor check says.
>
> So something is not the way i wishe. I think dns queries are still not
> going through tor.
>
> # Generated by iptables-save v1.4.21 on Fri Jan 2 22:51:39 2015
> *nat
> :PREROUTING ACCEPT [79:16807]
> :INPUT ACCEPT [121:11370]
> :OUTPUT ACCEPT [87:7496]
> :POSTROUTING ACCEPT [6:1420]
> :delegate_postrouting - [0:0]
> :delegate_prerouting - [0:0]
> :postrouting_lan_rule - [0:0]
> :postrouting_rule - [0:0]
> :postrouting_transtor_rule - [0:0]
> :postrouting_wan_rule - [0:0]
> :prerouting_lan_rule - [0:0]
> :prerouting_rule - [0:0]
> :prerouting_transtor_rule - [0:0]
> :prerouting_wan_rule - [0:0]
> :zone_lan_postrouting - [0:0]
> :zone_lan_prerouting - [0:0]
> :zone_transtor_postrouting - [0:0]
> :zone_transtor_prerouting - [0:0]
> :zone_wan_postrouting - [0:0]
> :zone_wan_prerouting - [0:0]
> -A PREROUTING -j delegate_prerouting
> -A PREROUTING -p tcp -m tcp --dport 80 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT
> -A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT
> --to-ports 9040
> -A POSTROUTING -j delegate_postrouting
> -A delegate_postrouting -m comment --comment "user chain for postrouting"
> -j postrouting_rule
> -A delegate_postrouting -o br-lan -j zone_lan_postrouting
> -A delegate_postrouting -o eth0.2 -j zone_wan_postrouting
> -A delegate_prerouting -m comment --comment "user chain for prerouting" -j
> prerouting_rule
> -A delegate_prerouting -i br-lan -j zone_lan_prerouting
> -A delegate_prerouting -i eth0.2 -j zone_wan_prerouting
> -A zone_lan_postrouting -m comment --comment "user chain for postrouting"
> -j postrouting_lan_rule
> -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j
> prerouting_lan_rule
> -A zone_transtor_postrouting -m comment --comment "user chain for
> postrouting" -j postrouting_transtor_rule
> -A zone_transtor_prerouting -m comment --comment "user chain for
> prerouting" -j prerouting_transtor_rule
> -A zone_wan_postrouting -m comment --comment "user chain for postrouting"
> -j postrouting_wan_rule
> -A zone_wan_postrouting -j MASQUERADE
> -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j
> prerouting_wan_rule
> COMMIT
> # Completed on Fri Jan 2 22:51:39 2015
> # Generated by iptables-save v1.4.21 on Fri Jan 2 22:51:39 2015
> *raw
> :PREROUTING ACCEPT [8382:5506270]
> :OUTPUT ACCEPT [6460:3708106]
> :delegate_notrack - [0:0]
> :zone_lan_notrack - [0:0]
> -A PREROUTING -j delegate_notrack
> -A delegate_notrack -i br-lan -j zone_lan_notrack
> -A zone_lan_notrack -j CT --notrack
> COMMIT
> # Completed on Fri Jan 2 22:51:39 2015
> # Generated by iptables-save v1.4.21 on Fri Jan 2 22:51:39 2015
> *mangle
> :PREROUTING ACCEPT [8382:5506270]
> :INPUT ACCEPT [8270:5488440]
> :FORWARD ACCEPT [46:5444]
> :OUTPUT ACCEPT [6460:3708106]
> :POSTROUTING ACCEPT [6508:3714206]
> :fwmark - [0:0]
> :mssfix - [0:0]
> -A PREROUTING -j fwmark
> -A FORWARD -j mssfix
> -A mssfix -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment
> --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
> COMMIT
> # Completed on Fri Jan 2 22:51:39 2015
> # Generated by iptables-save v1.4.21 on Fri Jan 2 22:51:39 2015
> *filter
> :INPUT ACCEPT [251:24620]
> :FORWARD ACCEPT [2:120]
> :OUTPUT ACCEPT [8:2086]
> :delegate_forward - [0:0]
> :delegate_input - [0:0]
> :delegate_output - [0:0]
> :forwarding_lan_rule - [0:0]
> :forwarding_rule - [0:0]
> :forwarding_transtor_rule - [0:0]
> :forwarding_wan_rule - [0:0]
> :input_lan_rule - [0:0]
> :input_rule - [0:0]
> :input_transtor_rule - [0:0]
> :input_wan_rule - [0:0]
> :output_lan_rule - [0:0]
> :output_rule - [0:0]
> :output_transtor_rule - [0:0]
> :output_wan_rule - [0:0]
> :reject - [0:0]
> :syn_flood - [0:0]
> :zone_lan_dest_ACCEPT - [0:0]
> :zone_lan_forward - [0:0]
> :zone_lan_input - [0:0]
> :zone_lan_output - [0:0]
> :zone_lan_src_ACCEPT - [0:0]
> :zone_transtor_dest_ACCEPT - [0:0]
> :zone_transtor_forward - [0:0]
> :zone_transtor_input - [0:0]
> :zone_transtor_output - [0:0]
> :zone_transtor_src_ACCEPT - [0:0]
> :zone_wan_dest_ACCEPT - [0:0]
> :zone_wan_forward - [0:0]
> :zone_wan_input - [0:0]
> :zone_wan_output - [0:0]
> :zone_wan_src_ACCEPT - [0:0]
> -A INPUT -j delegate_input
> -A FORWARD -j delegate_forward
> -A OUTPUT -j delegate_output
> -A delegate_forward -m comment --comment "user chain for forwarding" -j
> forwarding_rule
> -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A delegate_forward -i br-lan -j zone_lan_forward
> -A delegate_forward -i eth0.2 -j zone_wan_forward
> -A delegate_input -i lo -j ACCEPT
> -A delegate_input -m comment --comment "user chain for input" -j input_rule
> -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
> -A delegate_input -i br-lan -j zone_lan_input
> -A delegate_input -i eth0.2 -j zone_wan_input
> -A delegate_output -o lo -j ACCEPT
> -A delegate_output -m comment --comment "user chain for output" -j
> output_rule
> -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A delegate_output -o br-lan -j zone_lan_output
> -A delegate_output -o eth0.2 -j zone_wan_output
> -A reject -p tcp -j REJECT --reject-with tcp-reset
> -A reject -j REJECT --reject-with icmp-port-unreachable
> -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit
> 25/sec --limit-burst 50 -j RETURN
> -A syn_flood -j DROP
> -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
> -A zone_lan_forward -m comment --comment "user chain for forwarding" -j
> forwarding_lan_rule
> -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment
> "Accept port forwards" -j ACCEPT
> -A zone_lan_forward -j zone_lan_dest_ACCEPT
> -A zone_lan_input -m comment --comment "user chain for input" -j
> input_lan_rule
> -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept
> port redirections" -j ACCEPT
> -A zone_lan_input -j zone_lan_src_ACCEPT
> -A zone_lan_output -m comment --comment "user chain for output" -j
> output_lan_rule
> -A zone_lan_output -j zone_lan_dest_ACCEPT
> -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
> -A zone_transtor_forward -m comment --comment "user chain for forwarding"
> -j forwarding_transtor_rule
> -A zone_transtor_forward -m conntrack --ctstate DNAT -m comment --comment
> "Accept port forwards" -j ACCEPT
> -A zone_transtor_forward -j zone_transtor_dest_ACCEPT
> -A zone_transtor_input -m comment --comment "user chain for input" -j
> input_transtor_rule
> -A zone_transtor_input -p udp -m udp --dport 67 -m comment --comment
> Allow-Tor-DHCP -j ACCEPT
> -A zone_transtor_input -p tcp -m tcp --dport 9040 -m comment --comment
> Allow-Tor-Transparent -j ACCEPT
> -A zone_transtor_input -p udp -m udp --dport 9053 -m comment --comment
> Allow-Tor-DNS -j ACCEPT
> -A zone_transtor_input -m conntrack --ctstate DNAT -m comment --comment
> "Accept port redirections" -j ACCEPT
> -A zone_transtor_input -j zone_transtor_src_ACCEPT
> -A zone_transtor_output -m comment --comment "user chain for output" -j
> output_transtor_rule
> -A zone_transtor_output -j zone_transtor_dest_ACCEPT
> -A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT
> -A zone_wan_forward -m comment --comment "user chain for forwarding" -j
> forwarding_wan_rule
> -A zone_wan_forward -m comment --comment "forwarding wan -> *" -j ACCEPT
> -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment
> "Accept port forwards" -j ACCEPT
> -A zone_wan_forward -j zone_wan_dest_ACCEPT
> -A zone_wan_input -m comment --comment "user chain for input" -j
> input_wan_rule
> -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept
> port redirections" -j ACCEPT
> -A zone_wan_input -j zone_wan_src_ACCEPT
> -A zone_wan_output -m comment --comment "user chain for output" -j
> output_wan_rule
> -A zone_wan_output -j zone_wan_dest_ACCEPT
> -A zone_wan_src_ACCEPT -i eth0.2 -j ACCEPT
> COMMIT
> # Completed on Fri Jan 2 22:51:39 2015
>
>
> Any idea what should i reject at the firewall rules?
>
>
> On Tue, Dec 30, 2014 at 8:36 AM, Michal Zuber <michael at riseup.net> wrote:
>
>> Did you try diasbling the firewall and trying without it?
>>
>>
>> On 12/29/14 7:45 PM, Oğuz Yarımtepe wrote:
>>
>>> Hi,
>>>
>>> On Mon, Dec 29, 2014 at 9:00 AM, Michal Zuber <michael at riseup.net> wrote:
>>>
>>> Hi,
>>>> 1. what about the logs?
>>>>
>>>>
>>> 2. I have the following in my iptables.rules to be notified what was
>>>> blocked
>>>> -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
>>>> --log-level 7
>>>>
>>>>
>>>> I added this to firewall.user and saw that UDP messages are somehow
>>> blocked.
>>>
>>> [ 2539.100000] iptables denied: IN=wlan0 OUT=
>>> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
>>> DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=38735 DF PROTO=UDP
>>> SPT=48397 DPT=9053 LEN=46
>>> [ 2550.550000] iptables denied: IN=wlan0 OUT=
>>> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
>>> DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=40926 DF PROTO=UDP
>>> SPT=47905 DPT=9053 LEN=50
>>> [ 2563.880000] iptables denied: IN=wlan0 OUT=
>>> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
>>> DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=43508 DF PROTO=UDP
>>> SPT=37506 DPT=9053 LEN=44
>>> [ 2574.950000] iptables denied: IN=wlan0 OUT=
>>> MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
>>> DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=54347 DF PROTO=UDP
>>> SPT=28425 DPT=9053 LEN=50
>>> [ 2586.200000] iptables denied: IN=wlan0 OUT=
>>> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
>>> DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=46793 DF PROTO=UDP
>>> SPT=37394 DPT=9053 LEN=46
>>> [ 2598.680000] iptables denied: IN=wlan0 OUT=
>>> MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
>>> DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=48473 DF PROTO=UDP
>>> SPT=57058 DPT=9053 LEN=44
>>> [ 2611.290000] iptables denied: IN=wlan0 OUT=
>>> MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
>>> DST=192.168.2.1 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=58998 DF PROTO=UDP
>>> SPT=58128 DPT=9053 LEN=48
>>>
>>>
>>>
>>>
>>>
>>>
>>> 3. `netstat -nat |grep :53` or `lsof -i :53` shows listening on port 53
>>>> ? (
>>>> https://www.debian-administration.org/article/184/How_to_find_out_which_
>>>> process_is_listening_upon_a_port)
>>>> 4. Did you try host (dig, nslookup) on the router?
>>>> 5. Doest `dig @ROUTER_IP google.com` work?
>>>> 6. You could also try watch into the DNS traffic with ` tcpdump -vvv -s 0
>>>> -l -n port 53` (http://jontai.me/blog/2011/11/monitoring-dns-queries-
>>>> with-tcpdump/)
>>>>
>>>
>>> route -n was strange
>>>
>>> # route -n
>>> Kernel IP routing table
>>> Destination Gateway Genmask Flags Metric Ref Use
>>> Iface
>>> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
>>> br-lan
>>> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
>>> wlan0
>>>
>>> netstat -pantu says the ports are right
>>>
>>> netstat -pantu
>>> Active Internet connections (servers and established)
>>> Proto Recv-Q Send-Q Local Address Foreign Address
>>> State PID/Program name
>>> tcp 0 0 192.168.2.1:9040 0.0.0.0:*
>>> LISTEN 734/tor
>>> tcp 0 0 0.0.0.0:80 0.0.0.0:*
>>> LISTEN 756/uhttpd
>>> tcp 0 0 0.0.0.0:53 0.0.0.0:*
>>> LISTEN 1059/dnsmasq
>>> tcp 0 0 0.0.0.0:22 0.0.0.0:*
>>> LISTEN 699/dropbear
>>> tcp 0 0 0.0.0.0:443 0.0.0.0:*
>>> LISTEN 734/tor
>>> tcp 0 248 192.168.2.1:22 192.168.2.171:44694
>>> ESTABLISHED 1062/dropbear
>>> tcp 0 0 :::80 :::*
>>> LISTEN 756/uhttpd
>>> tcp 0 0 :::53 :::*
>>> LISTEN 1059/dnsmasq
>>> tcp 0 0 :::22 :::*
>>> LISTEN 699/dropbear
>>> udp 0 0 0.0.0.0:53 0.0.0.0:*
>>> 1059/dnsmasq
>>> udp 0 0 0.0.0.0:67 0.0.0.0:*
>>> 1059/dnsmasq
>>> udp 0 0 192.168.2.1:9053 0.0.0.0:*
>>> 734/tor
>>> udp 0 0 :::546
>>> :::* 812/odhcp6c
>>> udp 0 0 :::547
>>> :::* 669/odhcpd
>>> udp 0 0 :::53
>>> :::* 1059/dnsmasq
>>> ~
>>>
>>> here is iptables -L
>>>
>>> Chain INPUT (policy ACCEPT)
>>> target prot opt source destination
>>> delegate_input all -- anywhere anywhere
>>> LOG all -- anywhere anywhere limit: avg
>>> 5/min burst 5 LOG level debug prefix "iptables denied: "
>>>
>>> Chain FORWARD (policy DROP)
>>> target prot opt source destination
>>> delegate_forward all -- anywhere anywhere
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target prot opt source destination
>>> delegate_output all -- anywhere anywhere
>>>
>>> Chain delegate_forward (1 references)
>>> target prot opt source destination
>>> forwarding_rule all -- anywhere anywhere /*
>>> user
>>> chain for forwarding */
>>> ACCEPT all -- anywhere anywhere ctstate
>>> RELATED,ESTABLISHED
>>> zone_lan_forward all -- anywhere anywhere
>>> zone_wan_forward all -- anywhere anywhere
>>> reject all -- anywhere anywhere
>>>
>>> Chain delegate_input (1 references)
>>> target prot opt source destination
>>> ACCEPT all -- anywhere anywhere
>>> input_rule all -- anywhere anywhere /* user
>>> chain for input */
>>> ACCEPT all -- anywhere anywhere ctstate
>>> RELATED,ESTABLISHED
>>> syn_flood tcp -- anywhere anywhere tcp
>>> flags:FIN,SYN,RST,ACK/SYN
>>> zone_lan_input all -- anywhere anywhere
>>> zone_wan_input all -- anywhere anywhere
>>>
>>> Chain delegate_output (1 references)
>>> target prot opt source destination
>>> ACCEPT all -- anywhere anywhere
>>> output_rule all -- anywhere anywhere /* user
>>> chain for output */
>>> ACCEPT all -- anywhere anywhere ctstate
>>> RELATED,ESTABLISHED
>>> zone_lan_output all -- anywhere anywhere
>>> zone_wan_output all -- anywhere anywhere
>>>
>>> Chain forwarding_lan_rule (1 references)
>>> target prot opt source destination
>>>
>>> Chain forwarding_rule (1 references)
>>> target prot opt source destination
>>>
>>> Chain forwarding_transtor_rule (1 references)
>>> target prot opt source destination
>>>
>>> Chain forwarding_wan_rule (1 references)
>>> target prot opt source destination
>>>
>>> Chain input_lan_rule (1 references)
>>> target prot opt source destination
>>>
>>> Chain input_rule (1 references)
>>> target prot opt source destination
>>>
>>> Chain input_transtor_rule (1 references)
>>> target prot opt source destination
>>>
>>> Chain input_wan_rule (1 references)
>>> target prot opt source destination
>>>
>>> Chain output_lan_rule (1 references)
>>> target prot opt source destination
>>>
>>> Chain output_rule (1 references)
>>> target prot opt source destination
>>>
>>> Chain output_transtor_rule (1 references)
>>> target prot opt source destination
>>>
>>> Chain output_wan_rule (1 references)
>>> target prot opt source destination
>>>
>>> Chain reject (3 references)
>>> target prot opt source destination
>>> REJECT tcp -- anywhere anywhere reject-with
>>> tcp-reset
>>> REJECT all -- anywhere anywhere reject-with
>>> icmp-port-unreachable
>>>
>>> Chain syn_flood (1 references)
>>> target prot opt source destination
>>> RETURN tcp -- anywhere anywhere tcp
>>> flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
>>> DROP all -- anywhere anywhere
>>>
>>> Chain zone_lan_dest_ACCEPT (2 references)
>>> target prot opt source destination
>>> ACCEPT all -- anywhere anywhere
>>>
>>> Chain zone_lan_forward (1 references)
>>> target prot opt source destination
>>> forwarding_lan_rule all -- anywhere anywhere /*
>>> user chain for forwarding */
>>> ACCEPT all -- anywhere anywhere ctstate DNAT
>>> /* Accept port forwards */
>>> zone_lan_dest_ACCEPT all -- anywhere anywhere
>>>
>>> Chain zone_lan_input (1 references)
>>> target prot opt source destination
>>> input_lan_rule all -- anywhere anywhere /* user
>>> chain for input */
>>> ACCEPT all -- anywhere anywhere ctstate DNAT
>>> /* Accept port redirections */
>>> zone_lan_src_ACCEPT all -- anywhere anywhere
>>>
>>> Chain zone_lan_output (1 references)
>>> target prot opt source destination
>>> output_lan_rule all -- anywhere anywhere /*
>>> user
>>> chain for output */
>>> zone_lan_dest_ACCEPT all -- anywhere anywhere
>>>
>>> Chain zone_lan_src_ACCEPT (1 references)
>>> target prot opt source destination
>>> ACCEPT all -- anywhere anywhere
>>>
>>> Chain zone_transtor_dest_ACCEPT (1 references)
>>> target prot opt source destination
>>>
>>> Chain zone_transtor_dest_REJECT (1 references)
>>> target prot opt source destination
>>>
>>> Chain zone_transtor_forward (0 references)
>>> target prot opt source destination
>>> forwarding_transtor_rule all -- anywhere
>>> anywhere /* user chain for forwarding */
>>> ACCEPT all -- anywhere anywhere ctstate DNAT
>>> /* Accept port forwards */
>>> zone_transtor_dest_REJECT all -- anywhere
>>> anywhere
>>>
>>> Chain zone_transtor_input (0 references)
>>> target prot opt source destination
>>> input_transtor_rule all -- anywhere anywhere /*
>>> user chain for input */
>>> ACCEPT udp -- anywhere anywhere udp
>>> dpt:bootps /* Allow-Tor-DHCP */
>>> ACCEPT tcp -- anywhere anywhere tcp dpt:9040
>>> /* Allow-Tor-Transparent */
>>> ACCEPT udp -- anywhere anywhere udp dpt:9053
>>> /* Allow-Tor-DNS */
>>> ACCEPT all -- anywhere anywhere ctstate DNAT
>>> /* Accept port redirections */
>>> zone_transtor_src_REJECT all -- anywhere anywhere
>>>
>>> Chain zone_transtor_output (0 references)
>>> target prot opt source destination
>>> output_transtor_rule all -- anywhere anywhere
>>> /*
>>> user chain for output */
>>> zone_transtor_dest_ACCEPT all -- anywhere
>>> anywhere
>>>
>>> Chain zone_transtor_src_REJECT (1 references)
>>> target prot opt source destination
>>>
>>> Chain zone_wan_dest_ACCEPT (1 references)
>>> target prot opt source destination
>>> ACCEPT all -- anywhere anywhere
>>>
>>> Chain zone_wan_dest_REJECT (1 references)
>>> target prot opt source destination
>>> reject all -- anywhere anywhere
>>>
>>> Chain zone_wan_forward (1 references)
>>> target prot opt source destination
>>> forwarding_wan_rule all -- anywhere anywhere /*
>>> user chain for forwarding */
>>> ACCEPT all -- anywhere anywhere ctstate DNAT
>>> /* Accept port forwards */
>>> zone_wan_dest_REJECT all -- anywhere anywhere
>>>
>>> Chain zone_wan_input (1 references)
>>> target prot opt source destination
>>> input_wan_rule all -- anywhere anywhere /* user
>>> chain for input */
>>> ACCEPT udp -- anywhere anywhere udp
>>> dpt:bootpc /* Allow-DHCP-Renew */
>>> ACCEPT icmp -- anywhere anywhere icmp
>>> echo-request /* Allow-Ping */
>>> ACCEPT tcp -- anywhere anywhere tcp
>>> dpt:https
>>> /* @rule[5] */
>>> ACCEPT all -- anywhere anywhere ctstate DNAT
>>> /* Accept port redirections */
>>> zone_wan_src_REJECT all -- anywhere anywhere
>>>
>>> Chain zone_wan_output (1 references)
>>> target prot opt source destination
>>> output_wan_rule all -- anywhere anywhere /*
>>> user
>>> chain for output */
>>> zone_wan_dest_ACCEPT all -- anywhere anywhere
>>>
>>> Chain zone_wan_src_REJECT (1 references)
>>> target prot opt source destination
>>> reject all -- anywhere anywhere
>>>
>>>
>>> I started to lost my Internet connection for other adsl users. When they
>>> connected to normal adsl ssid while the tor router is plugged, they
>>> started
>>> to lost connection.
>>>
>>> Seems there is a firewall or network problem.
>>>
>>> Anyone can figure it out?
>>>
>> --
>> tor-talk mailing list - tor-talk at lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
>
>
More information about the tor-talk
mailing list