Skip to content

Commit

Permalink
allow connection attemps from trusted Tor authorities/Snowflake serve…
Browse files Browse the repository at this point in the history
…rs to every port
  • Loading branch information
toralf committed May 11, 2024
1 parent cbffe75 commit a6050d8
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 7 deletions.
10 changes: 5 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -79,19 +79,19 @@ and GitHub [PR](https://github.com/toralf/torutils/pulls).

- never touch established connections
- try to not overblock
- for IPv4 work on single ips, but for IPv6 on /80 CIDR block

#### Details

Generic filter rules for the local network, ICMP, ssh and additional services are created.
Then the following rules are applied:

1. trust connection attempt to the ORPort from trusted Tor authorities/Snowflake servers
2. block the source for 24 hours if the connection attempt rate to the ORPort exceeds > 9/min¹ within last 2 minutes
3. ignore the connection attempt if there are already 9 established connections from that source¹ to the ORPort
1. trust connection attempt to any port from trusted Tor authorities/Snowflake servers
2. block the source² for 24 hours if the connection attempt rate to the ORPort exceeds > 9/min¹ within last 2 minutes
3. ignore the connection attempt if there are already 9 established connections to the ORPort
4. accept the connection attempt to the ORPort

¹ the 9 is derived from calculations given in ticket [40636](https://gitlab.torproject.org/tpo/core/tor/-/issues/40636#note_2844146)
¹ the value is derived from calculations given in ticket [40636](https://gitlab.torproject.org/tpo/core/tor/-/issues/40636#note_2844146)
² for IPv4 "source" is a regular ip, but for IPv6 the corresponding /80 CIDR block

### Installation

Expand Down
5 changes: 4 additions & 1 deletion ipv4-rules.sh
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,10 @@ function addTor() {
__fill_ddoslist &

# rule 1
$common -m set --match-set $trustlist src -j ACCEPT
local trust_rule="INPUT -p tcp --dst $orip --syn -m set --match-set $trustlist src -j ACCEPT"
if ! $ipt -C $trust_rule 2>/dev/null; then
$ipt -A $trust_rule
fi

# rule 2
$common $hashlimit --hashlimit-name tor-ddos-$orport --hashlimit-above 9/minute --hashlimit-burst 1 --hashlimit-htable-expire $((2 * 60 * 1000)) -j SET --add-set $ddoslist src --exist
Expand Down
5 changes: 4 additions & 1 deletion ipv6-rules.sh
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,10 @@ function addTor() {
__fill_ddoslist &

# rule 1
$common -m set --match-set $trustlist src -j ACCEPT
local trust_rule="INPUT -p tcp --dst $orip --syn -m set --match-set $trustlist src -j ACCEPT"
if ! $ipt -C $trust_rule 2>/dev/null; then
$ipt -A $trust_rule
fi

# rule 2
$common $hashlimit --hashlimit-name tor-ddos-$orport --hashlimit-above 9/minute --hashlimit-burst 1 --hashlimit-htable-expire $((2 * 60 * 1000)) -j SET --add-set $ddoslist src --exist
Expand Down

0 comments on commit a6050d8

Please sign in to comment.