Inbound Tor traffic conflicts with GeoIP block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into GeoIP block chain.
Note this affects Tor relay operators only.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index b3483a744..e4b29da28 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -269,6 +269,10 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi
+ # Tor (inbound) + iptables -N TOR_INPUT + iptables -A INPUT -j TOR_INPUT + # GeoIP block iptables -N GEOIPBLOCK iptables -A INPUT -j GEOIPBLOCK @@ -302,9 +306,7 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT
- # Tor (inbound and outbound) - iptables -N TOR_INPUT - iptables -A INPUT -j TOR_INPUT + # Tor (outbound) iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT
Hi,
I am not sure if I agree.
Not because this does not make sense technologically but in the documentation we have always said that the GeoIP filter comes first and drops all traffic that isn’t permitted here.
Can we make sure that we update this accordingly?
-Michael
On 4 Jul 2019, at 18:43, Peter Müller peter.mueller@ipfire.org wrote:
Inbound Tor traffic conflicts with GeoIP block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into GeoIP block chain.
Note this affects Tor relay operators only.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index b3483a744..e4b29da28 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -269,6 +269,10 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi
- # Tor (inbound)
- iptables -N TOR_INPUT
- iptables -A INPUT -j TOR_INPUT
- # GeoIP block iptables -N GEOIPBLOCK iptables -A INPUT -j GEOIPBLOCK
@@ -302,9 +306,7 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT
- # Tor (inbound and outbound)
- iptables -N TOR_INPUT
- iptables -A INPUT -j TOR_INPUT
- # Tor (outbound) iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT
-- 2.16.4