From patchwork Sat Dec 18 13:47:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4925 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRxr57v5z3wtM for ; Sat, 18 Dec 2021 13:48:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRxr1g9vz1QM; Sat, 18 Dec 2021 13:48:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRxr1FSVz2yWZ; Sat, 18 Dec 2021 13:48:00 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRxp2g18z2xXd for ; Sat, 18 Dec 2021 13:47:58 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRxn2wpVz1Gy for ; Sat, 18 Dec 2021 13:47:57 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835277; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YOxZJT45h7CB62En483pdPBBTW7iAezWC2bKC46qc9g=; b=2MJeOYHufsPdlUFCtSp5cq98FXF1ZvndtlJvrPud67Y7aElKnbq+j2WFjgGGxsYvwOqIwD VK7TqhFGPO+ATsDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835277; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YOxZJT45h7CB62En483pdPBBTW7iAezWC2bKC46qc9g=; b=mHlDujSMvKNIXUFpj+8P6cuOdmQZadxoh2qf32hTMpIf/ecxgTni5jRink4yz1/lxSfqrY Pw6IbVRJxE+ZtObyVtqKw+1dZkv83yjuAs5yNGRYzEdj+Vz0L2UOQrcy6leWabeDb7WT3A wK2P8LidDLGlEj9qNJRf4wj+upui1g8xCMAsYO3smllA0C32b8CPfrfdi/hihQPPlFO9Mg eg1ZmFXw95QqDrEaOlT0qOgoCngteoijceYFlrrbm2Lu+Dofx9AO9S7AEKxhozNTRFLEBy kfZw/3K4spd5kuVMnQC+jvrtdgJFLZQrOt9mK0PGP//JvZcSHzp/g+HZMCKEOA== Subject: [PATCH 02/11] firewall: Accept inbound Tor traffic before applying the location filter To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: <4347b799-f863-9870-50d2-683b8c078670@ipfire.org> Date: Sat, 18 Dec 2021 14:47:56 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Inbound Tor traffic conflicts with Location block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into Location block chain. Note this affects Tor relay operators only. Rolled forward as ongoing from https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90@ipfire.org/, note the documentation in the wiki needs to be updated once this landed in production. Signed-off-by: Peter Müller --- src/initscripts/system/firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 49c6b7bf9..cc5baa292 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -227,6 +227,10 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi + # Tor (inbound) + iptables -N TOR_INPUT + iptables -A INPUT -j TOR_INPUT + # Location Block iptables -N LOCATIONBLOCK iptables -A INPUT -j LOCATIONBLOCK @@ -260,9 +264,7 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT - # Tor (inbound and outbound) - iptables -N TOR_INPUT - iptables -A INPUT -j TOR_INPUT + # Tor (outbound) iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT