From patchwork Fri Jul 5 03:43:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2340 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 77235887E52 for ; Thu, 4 Jul 2019 18:43:26 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 45flgx3kNXz5VQ9H; Thu, 4 Jul 2019 18:43:25 +0100 (BST) Received: from [127.0.0.1] (unknown [IPv6:2001:41d0:601:1100::9eb]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 45flgs5xK9z5TYrQ for ; Thu, 4 Jul 2019 18:43:21 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1562262202; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Xn8agPKOdIlhqQ8znpsCxRg1J6qD6PnOLjg+zAkoziU=; b=oIndp6V3E78X1Yx51SKafKtPoGdXE2Yjw55pIWh3JrQz77gdFKik1qORg82O6Qpp/U2J1z lHzS/GNH3GlemI9dTdnoCxoTMjvJmc5YXTBbQoKs9kDmK+VGquNyknmyMilhqMszSeuQZY WynXyKZcPhjq0WcirZBcR7Zr0Hu4AbZcKOHNY0HgXi5VF5iLEtZJQjil7A23/RmGbAS1Qn vuoF4j5WOE9cvDBtfD5gpoOjV6MTdMKV2oc7i9TL1qdj+DfPADhLk4WAsxj5aWgO6umBUt dq9Z4CMv5ebltKpuJOh4NcgFLB4vi7mG+QAw6jCEQR3JaJDr94VN+495vPyjWw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1562262202; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Xn8agPKOdIlhqQ8znpsCxRg1J6qD6PnOLjg+zAkoziU=; b=hCLfCiuenkq8juK4ziW34Xst415NEKPJkZkwo6cOPAo2lsW6xHPMd6jhOECHtblhE4HQhz VE3Nxw/VU3CUfrCQ== To: "IPFire: Development-List" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] firewall: accept inbound Tor traffic before applying GeoIP Organization: IPFire.org Message-ID: Date: Thu, 04 Jul 2019 17:43:00 +0000 MIME-Version: 1.0 Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Inbound Tor traffic conflicts with GeoIP block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into GeoIP block chain. Note this affects Tor relay operators only. Signed-off-by: Peter Müller --- src/initscripts/system/firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index b3483a744..e4b29da28 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -269,6 +269,10 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi + # Tor (inbound) + iptables -N TOR_INPUT + iptables -A INPUT -j TOR_INPUT + # GeoIP block iptables -N GEOIPBLOCK iptables -A INPUT -j GEOIPBLOCK @@ -302,9 +306,7 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT - # Tor (inbound and outbound) - iptables -N TOR_INPUT - iptables -A INPUT -j TOR_INPUT + # Tor (outbound) iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT