[tor-relays] wrong iptables rules? / no inbound traffic in nyx

Hi!

I noticed that after I have set up my ip(+6)tables up to filter unwanted incoming traffic all “inbound” and “directory” connections in nyx disappeared, only lot of “outbound” connections are there.

I am running exit relay (IPv4+IPv6) on ORPort 443 and DIRPort 80.

Is there someone willing to check my iptable rules? I am starting to lose it…


**My iptables:**
-P INPUT DROP

-P FORWARD DROP

-P OUTPUT DROP

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT __*# SSH running there*__

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT __*# allow incoming comm to ORPort*__ 

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT __*# allow incoming comm to DIRPort*__ 

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT __*# allow all already established incoming connections*__

-A OUTPUT -o lo -j ACCEPT __*# allow all outgoing connections*__

-A OUTPUT -o eth0 -j ACCEPT

My ip6tables:

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT DROP

-N ICMPv6_IN

-N ICMPv6_OUT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT # SSH running there

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to ORPort

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to DIRPort

-A INPUT -p ipv6-icmp -j ICMPv6_IN #pass all icmpv6 related traffic to new chain

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all already established incoming connections

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -p ipv6-icmp -j ICMPv6_OUT #pass all icmpv6 related traffic to new chain

-A OUTPUT -o eth0 -j ACCEPT # allow all outgoing connections

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT

-A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT

-A ICMPv6_IN -j DROP

-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT

-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT

-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT

-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT

-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT

-A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT

-A ICMPv6_OUT -j DROP

Thank you all for any replies!

Have a nice day.

Bye

Hi!

I noticed that after I have set up my ip(+6)tables up to filter unwanted
incoming traffic all "inbound" and "directory" connections in nyx
disappeared, only lot of "outbound" connections are there.

I am running exit relay (IPv4+IPv6) on ORPort 443 and DIRPort 80.

Is there someone willing to check my iptable rules? I am starting to lose
it...
> My iptables:
> -P INPUT DROP
>
>
> -P FORWARD DROP
>
>
> -P OUTPUT DROP

??
why block outgoing traffic?

>
> -A INPUT -i lo -j ACCEPT
>
>
> -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22
> -j ACCEPT # SSH running there
>
>
> -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to
> ORPort
>
>
>
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to
> DIRPort
>
>
>
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all
> already established incoming connections
>
>
> -A OUTPUT -o lo -j ACCEPT # allow all outgoing connections

??

>
> -A OUTPUT -o eth0 -j ACCEPT

??

> My ip6tables:
>
>
> -P INPUT DROP
>
>
> -P FORWARD DROP
>
>
> -P OUTPUT DROP

??
Again, why block outgoing traffic?
Don't you trust yourself or your own server :wink:

>
> -N ICMPv6_IN
>
>
> -N ICMPv6_OUT

??

>
> -A INPUT -i lo -j ACCEPT
>
>
> -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22
> -j ACCEPT # SSH running there
>
>
> -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # allow incoming comm to
> ORPort
>
>
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming comm to
> DIRPort
>
>
> -A INPUT -p ipv6-icmp -j ICMPv6_IN #pass all icmpv6 related traffic to new
> chain
>
>
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow all
> already established incoming connections
>
>
> -A OUTPUT -o lo -j ACCEPT

??

>
> -A OUTPUT -p ipv6-icmp -j ICMPv6_OUT #pass all icmpv6 related traffic to
> new chain

??

>
> -A OUTPUT -o eth0 -j ACCEPT # allow all outgoing connections

??

>
> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
>
>
> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
>
>
> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
>
>
> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
>
>
> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
>
>
> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
>
>
> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
>
>
> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
>
>
> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
>
>
> -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
>
>
> -A ICMPv6_IN -j DROP
>
>
> -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT

??

>
> -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT

??

>
> -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT

??

>
> -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT

??

>
> -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT

??

>
> -A ICMPv6_OUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT

??

>
> -A ICMPv6_OUT -j DROP

??

I just skimmed the rest of the rules. Very confusing in emails. Please use
pastbin. All outbound rules are unnecessary and undesirable on Tor relays!

My working example rules:

···

On Tuesday, January 25, 2022 10:54:00 PM CET ax8eaz7z3g via tor-relays wrote:

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

Oh, I forgot something

> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
> >

https://www.ietf.org/rfc/rfc4890.txt
4.3.3.
Traffic That Will Be Dropped Anyway -- No Special Attention Needed

Allow this ICMPv6 types only if the hop limit field is 255.
(I can never remember the numbers, so I always use ICMPv6 type names)
e.g.:
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j
ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j
ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j
ACCEPT

> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
> >
> >
> > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
> >
> >

Best not to filter ICMPv6 at all. Or just ratelimit echo-request maybe also
echo-reply.

···

On Thursday, January 27, 2022 12:13:32 AM CET lists@for-privacy.net wrote:

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!