From a6050d86ed1c97e7a45e49026acc1c54cf3cbcc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toralf=20F=C3=B6rster?= Date: Sat, 11 May 2024 20:42:49 +0200 Subject: [PATCH] allow connection attemps from trusted Tor authorities/Snowflake servers to every port --- README.md | 10 +++++----- ipv4-rules.sh | 5 ++++- ipv6-rules.sh | 5 ++++- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 6f7386f..5a26c3b 100644 --- a/README.md +++ b/README.md @@ -79,19 +79,19 @@ and GitHub [PR](https://github.com/toralf/torutils/pulls). - never touch established connections - try to not overblock -- for IPv4 work on single ips, but for IPv6 on /80 CIDR block #### Details Generic filter rules for the local network, ICMP, ssh and additional services are created. Then the following rules are applied: -1. trust connection attempt to the ORPort from trusted Tor authorities/Snowflake servers -2. block the source for 24 hours if the connection attempt rate to the ORPort exceeds > 9/min¹ within last 2 minutes -3. ignore the connection attempt if there are already 9 established connections from that source¹ to the ORPort +1. trust connection attempt to any port from trusted Tor authorities/Snowflake servers +2. block the source² for 24 hours if the connection attempt rate to the ORPort exceeds > 9/min¹ within last 2 minutes +3. ignore the connection attempt if there are already 9 established connections to the ORPort 4. accept the connection attempt to the ORPort -¹ the 9 is derived from calculations given in ticket [40636](https://gitlab.torproject.org/tpo/core/tor/-/issues/40636#note_2844146) +¹ the value is derived from calculations given in ticket [40636](https://gitlab.torproject.org/tpo/core/tor/-/issues/40636#note_2844146) +² for IPv4 "source" is a regular ip, but for IPv6 the corresponding /80 CIDR block ### Installation diff --git a/ipv4-rules.sh b/ipv4-rules.sh index f476837..8a3fa49 100755 --- a/ipv4-rules.sh +++ b/ipv4-rules.sh @@ -46,7 +46,10 @@ function addTor() { __fill_ddoslist & # rule 1 - $common -m set --match-set $trustlist src -j ACCEPT + local trust_rule="INPUT -p tcp --dst $orip --syn -m set --match-set $trustlist src -j ACCEPT" + if ! $ipt -C $trust_rule 2>/dev/null; then + $ipt -A $trust_rule + fi # rule 2 $common $hashlimit --hashlimit-name tor-ddos-$orport --hashlimit-above 9/minute --hashlimit-burst 1 --hashlimit-htable-expire $((2 * 60 * 1000)) -j SET --add-set $ddoslist src --exist diff --git a/ipv6-rules.sh b/ipv6-rules.sh index 8ba0371..36862d6 100755 --- a/ipv6-rules.sh +++ b/ipv6-rules.sh @@ -54,7 +54,10 @@ function addTor() { __fill_ddoslist & # rule 1 - $common -m set --match-set $trustlist src -j ACCEPT + local trust_rule="INPUT -p tcp --dst $orip --syn -m set --match-set $trustlist src -j ACCEPT" + if ! $ipt -C $trust_rule 2>/dev/null; then + $ipt -A $trust_rule + fi # rule 2 $common $hashlimit --hashlimit-name tor-ddos-$orport --hashlimit-above 9/minute --hashlimit-burst 1 --hashlimit-htable-expire $((2 * 60 * 1000)) -j SET --add-set $ddoslist src --exist