[02/11] firewall: Accept inbound Tor traffic before applying the location filter

  Inbound Tor traffic conflicts with Location block as inbound connections
have to be accepted from many parts of the world. To solve this,
inbound Tor traffic has to be accepted before jumping into Location block
chain.

Note this affects Tor relay operators only.

Rolled forward as ongoing from
https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90@ipfire.org/,
note the documentation in the wiki needs to be updated once this landed
in production.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 src/initscripts/system/firewall | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
  

Hello,

Can we make sure this is well documented somewhere?

Generally we said that the location filter comes first and this will change that behaviour.

Best,
-Michael

> On 18 Dec 2021, at 13:47, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Inbound Tor traffic conflicts with Location block as inbound connections
> have to be accepted from many parts of the world. To solve this,
> inbound Tor traffic has to be accepted before jumping into Location block
> chain.
> 
> Note this affects Tor relay operators only.
> 
> Rolled forward as ongoing from
> https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90@ipfire.org/,
> note the documentation in the wiki needs to be updated once this landed
> in production.
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> src/initscripts/system/firewall | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 49c6b7bf9..cc5baa292 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -227,6 +227,10 @@ iptables_init() {
> 		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
> 	fi
> 
> +	# Tor (inbound)
> +	iptables -N TOR_INPUT
> +	iptables -A INPUT -j TOR_INPUT
> +
> 	# Location Block
> 	iptables -N LOCATIONBLOCK
> 	iptables -A INPUT -j LOCATIONBLOCK
> @@ -260,9 +264,7 @@ iptables_init() {
> 	iptables -N OVPNINPUT
> 	iptables -A INPUT -j OVPNINPUT
> 
> -	# Tor (inbound and outbound)
> -	iptables -N TOR_INPUT
> -	iptables -A INPUT -j TOR_INPUT
> +	# Tor (outbound)
> 	iptables -N TOR_OUTPUT
> 	iptables -A OUTPUT -j TOR_OUTPUT
> 
> -- 
> 2.26.2
  

Hello Michael,

thanks for your reply.

Well, there is a diagram at the bottom of https://wiki.ipfire.org/configuration/firewall/iptables,
which will need to be updated. However, it currently still says "GEOIPBLOCK" instead of "LOCATIONBLOCK",
so it's outdated anyway, and I don't know what source it is generated from.

Aside from that, mentioning the change on https://wiki.ipfire.org/configuration/firewall/geoip-block
needs to be done. I can take care of this.

Thanks, and best regards,
Peter Müller


> Hello,
> 
> Can we make sure this is well documented somewhere?
> 
> Generally we said that the location filter comes first and this will change that behaviour.
> 
> Best,
> -Michael
> 
>> On 18 Dec 2021, at 13:47, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> Inbound Tor traffic conflicts with Location block as inbound connections
>> have to be accepted from many parts of the world. To solve this,
>> inbound Tor traffic has to be accepted before jumping into Location block
>> chain.
>>
>> Note this affects Tor relay operators only.
>>
>> Rolled forward as ongoing from
>> https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90@ipfire.org/,
>> note the documentation in the wiki needs to be updated once this landed
>> in production.
>>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> src/initscripts/system/firewall | 8 +++++---
>> 1 file changed, 5 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index 49c6b7bf9..cc5baa292 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -227,6 +227,10 @@ iptables_init() {
>> 		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
>> 	fi
>>
>> +	# Tor (inbound)
>> +	iptables -N TOR_INPUT
>> +	iptables -A INPUT -j TOR_INPUT
>> +
>> 	# Location Block
>> 	iptables -N LOCATIONBLOCK
>> 	iptables -A INPUT -j LOCATIONBLOCK
>> @@ -260,9 +264,7 @@ iptables_init() {
>> 	iptables -N OVPNINPUT
>> 	iptables -A INPUT -j OVPNINPUT
>>
>> -	# Tor (inbound and outbound)
>> -	iptables -N TOR_INPUT
>> -	iptables -A INPUT -j TOR_INPUT
>> +	# Tor (outbound)
>> 	iptables -N TOR_OUTPUT
>> 	iptables -A OUTPUT -j TOR_OUTPUT
>>
>> -- 
>> 2.26.2
>
  

Peter,

> Well, there is a diagram at the bottom of https://wiki.ipfire.org/configuration/firewall/iptables,
> which will need to be updated. However, it currently still says "GEOIPBLOCK" instead of "LOCATIONBLOCK",
> so it's outdated anyway, and I don't know what source it is generated from.

It is from H&M <https://community.ipfire.org/u/hjkl> @hjkl:
https://community.ipfire.org/t/location-block-filter-strictly-before-fw-input/3870/11?u=jon <https://community.ipfire.org/t/location-block-filter-strictly-before-fw-input/3870/11?u=jon>


Jon


> On Jan 8, 2022, at 5:38 AM, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for your reply.
> 
> Well, there is a diagram at the bottom of https://wiki.ipfire.org/configuration/firewall/iptables,
> which will need to be updated. However, it currently still says "GEOIPBLOCK" instead of "LOCATIONBLOCK",
> so it's outdated anyway, and I don't know what source it is generated from.
> 
> Aside from that, mentioning the change on https://wiki.ipfire.org/configuration/firewall/geoip-block
> needs to be done. I can take care of this.
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello,
>> 
>> Can we make sure this is well documented somewhere?
>> 
>> Generally we said that the location filter comes first and this will change that behaviour.
>> 
>> Best,
>> -Michael
>> 
>>> On 18 Dec 2021, at 13:47, Peter Müller <peter.mueller@ipfire.org> wrote:
>>> 
>>> Inbound Tor traffic conflicts with Location block as inbound connections
>>> have to be accepted from many parts of the world. To solve this,
>>> inbound Tor traffic has to be accepted before jumping into Location block
>>> chain.
>>> 
>>> Note this affects Tor relay operators only.
>>> 
>>> Rolled forward as ongoing from
>>> https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90@ipfire.org/,
>>> note the documentation in the wiki needs to be updated once this landed
>>> in production.
>>> 
>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>>> ---
>>> src/initscripts/system/firewall | 8 +++++---
>>> 1 file changed, 5 insertions(+), 3 deletions(-)
>>> 
>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>> index 49c6b7bf9..cc5baa292 100644
>>> --- a/src/initscripts/system/firewall
>>> +++ b/src/initscripts/system/firewall
>>> @@ -227,6 +227,10 @@ iptables_init() {
>>> 		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
>>> 	fi
>>> 
>>> +	# Tor (inbound)
>>> +	iptables -N TOR_INPUT
>>> +	iptables -A INPUT -j TOR_INPUT
>>> +
>>> 	# Location Block
>>> 	iptables -N LOCATIONBLOCK
>>> 	iptables -A INPUT -j LOCATIONBLOCK
>>> @@ -260,9 +264,7 @@ iptables_init() {
>>> 	iptables -N OVPNINPUT
>>> 	iptables -A INPUT -j OVPNINPUT
>>> 
>>> -	# Tor (inbound and outbound)
>>> -	iptables -N TOR_INPUT
>>> -	iptables -A INPUT -j TOR_INPUT
>>> +	# Tor (outbound)
>>> 	iptables -N TOR_OUTPUT
>>> 	iptables -A OUTPUT -j TOR_OUTPUT
>>> 
>>> -- 
>>> 2.26.2
>>