[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] tor setup on wt3020h with openwrt problem



What's in the logs?
Did you check what does iptables DROP, REJECT?

To check DNS resolving try `dig @DNS_SERVER_IP google.com`

On 1/2/15 11:54 PM, Oğuz Yarımtepe wrote:
I changed the firewall rules.

/etc/firewall.user

  This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
#iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
denied: " --log-level 7
iptables -t nat -A PREROUTING -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 22 -j ACCEPT

iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT
--to-ports 9053
iptables -t nat -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
-j REDIRECT --to-ports 9040
#iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports
9040


/etc/config/firewall


config defaults
   option syn_flood  1
   option input    ACCEPT
   option output   ACCEPT
   option forward  ACCEPT
# Uncomment this line to disable ipv6 rules
   option disable_ipv6 1

config zone
     option name 'lan'
     option input 'ACCEPT'
     option output 'ACCEPT'
     option forward 'ACCEPT'
     option network 'lan'

config zone
         option name             wan
         list   network          'wan'
         option input            ACCEPT
         option output           ACCEPT
         option forward          ACCEPT
         option masq             1
         option mtu_fix          1


config zone
         option name     transtor
         option input    ACCEPT
         option output   ACCEPT
         option forward  ACCEPT
         #option syn_flood 1
         option conntrack 1 #this setting is mandatory

# Allow Transparent clients the ability to DHCP an address
# XXX TODO: Audit this to ensure it doesn't leak UDP port 67 to the net!
config rule
         option name             'Allow-Tor-DHCP'
         option src              transtor
         option proto            udp
         option dest_port        67
         option target           ACCEPT
# Tor transparent-proxy-port (set in /etc/tor/torrc)
config rule
option name             'Allow-Tor-Transparent'
         option src              transtor
         option proto            tcp
         option dest_port        9040
         option target           ACCEPT
# Tor DNS-proxy-port (set in /etc/tor/torrc)
config rule
         option name             'Allow-Tor-DNS'
         option src              transtor
         option proto            udp
         option dest_port        9053
         option target           ACCEPT

#config rule
#    option name 'Allow-DHCP-Renew'
#    option src 'transtor'
#    option proto 'wan'
#    option dest_port '68'
#    option target 'ACCEPT'
#    option family 'ipv4'

config forwarding
         option src wan
         option dst lan

config include
     option path '/etc/firewall.user'

netstat -pantu

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address
State       PID/Program name
tcp        0      0 192.168.2.1:9040        0.0.0.0:*
LISTEN      883/tor
tcp        0      0 127.0.0.1:9040          0.0.0.0:*
LISTEN      883/tor
tcp        0      0 0.0.0.0:80              0.0.0.0:*
LISTEN      911/uhttpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*
LISTEN      1016/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*
LISTEN      700/dropbear
tcp        0      0 192.168.2.1:9050        0.0.0.0:*
LISTEN      883/tor
tcp        0      0 192.168.2.1:9040        192.168.2.171:39140
ESTABLISHED 883/tor
tcp        0      0 192.168.1.104:56891     216.17.99.144:9001
ESTABLISHED 883/tor
tcp        0      0 192.168.2.1:9040        192.168.2.171:33555
ESTABLISHED 883/tor
tcp        0      0 192.168.1.104:55734     171.25.193.9:80
TIME_WAIT   -
tcp        0      0 192.168.2.1:22          192.168.2.171:38308
ESTABLISHED 1147/dropbear
tcp        0      0 192.168.2.1:9040        192.168.2.171:53402
ESTABLISHED 883/tor
tcp        0      0 192.168.2.1:9040        192.168.2.171:39141
ESTABLISHED 883/tor
tcp        0      0 192.168.1.104:54953     154.35.32.5:443
TIME_WAIT   -
tcp        0      0 192.168.1.104:51428     86.59.119.83:443
ESTABLISHED 883/tor
tcp        0      0 192.168.1.104:48492     37.143.86.26:443
ESTABLISHED 883/tor
tcp        0      0 :::80                   :::*
LISTEN      911/uhttpd
tcp        0      0 :::53                   :::*
LISTEN      1016/dnsmasq
tcp        0      0 :::22                   :::*
LISTEN      700/dropbear
udp        0      0 0.0.0.0:53              0.0.0.0:*
1016/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*
1016/dnsmasq
udp        0      0 192.168.2.1:9053        0.0.0.0:*
883/tor
udp        0      0 127.0.0.1:9053          0.0.0.0:*
883/tor
udp        0      0 :::546
:::*                                764/odhcp6c
udp        0      0 :::547
:::*                                674/odhcpd
udp        0      0 :::53
:::*                                1016/dnsmasq


When i entered https://check.torproject.org/, it says i am using tor. But
when i entered i http://whatismyipaddress.com/ i still see my ADSL ip not
the one tor check says.

So something is not the way i wishe. I think dns queries are still not
going through tor.

# Generated by iptables-save v1.4.21 on Fri Jan  2 22:51:39 2015
*nat
:PREROUTING ACCEPT [79:16807]
:INPUT ACCEPT [121:11370]
:OUTPUT ACCEPT [87:7496]
:POSTROUTING ACCEPT [6:1420]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_transtor_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_transtor_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_transtor_postrouting - [0:0]
:zone_transtor_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j delegate_prerouting
-A PREROUTING -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT
-A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT
--to-ports 9040
-A POSTROUTING -j delegate_postrouting
-A delegate_postrouting -m comment --comment "user chain for postrouting"
-j postrouting_rule
-A delegate_postrouting -o br-lan -j zone_lan_postrouting
-A delegate_postrouting -o eth0.2 -j zone_wan_postrouting
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j
prerouting_rule
-A delegate_prerouting -i br-lan -j zone_lan_prerouting
-A delegate_prerouting -i eth0.2 -j zone_wan_prerouting
-A zone_lan_postrouting -m comment --comment "user chain for postrouting"
-j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j
prerouting_lan_rule
-A zone_transtor_postrouting -m comment --comment "user chain for
postrouting" -j postrouting_transtor_rule
-A zone_transtor_prerouting -m comment --comment "user chain for
prerouting" -j prerouting_transtor_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting"
-j postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j
prerouting_wan_rule
COMMIT
# Completed on Fri Jan  2 22:51:39 2015
# Generated by iptables-save v1.4.21 on Fri Jan  2 22:51:39 2015
*raw
:PREROUTING ACCEPT [8382:5506270]
:OUTPUT ACCEPT [6460:3708106]
:delegate_notrack - [0:0]
:zone_lan_notrack - [0:0]
-A PREROUTING -j delegate_notrack
-A delegate_notrack -i br-lan -j zone_lan_notrack
-A zone_lan_notrack -j CT --notrack
COMMIT
# Completed on Fri Jan  2 22:51:39 2015
# Generated by iptables-save v1.4.21 on Fri Jan  2 22:51:39 2015
*mangle
:PREROUTING ACCEPT [8382:5506270]
:INPUT ACCEPT [8270:5488440]
:FORWARD ACCEPT [46:5444]
:OUTPUT ACCEPT [6460:3708106]
:POSTROUTING ACCEPT [6508:3714206]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment
--comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Jan  2 22:51:39 2015
# Generated by iptables-save v1.4.21 on Fri Jan  2 22:51:39 2015
*filter
:INPUT ACCEPT [251:24620]
:FORWARD ACCEPT [2:120]
:OUTPUT ACCEPT [8:2086]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_transtor_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_transtor_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_transtor_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_transtor_dest_ACCEPT - [0:0]
:zone_transtor_forward - [0:0]
:zone_transtor_input - [0:0]
:zone_transtor_output - [0:0]
:zone_transtor_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -j delegate_input
-A FORWARD -j delegate_forward
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j
forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0.2 -j zone_wan_forward
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0.2 -j zone_wan_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j
output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0.2 -j zone_wan_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit
25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j
forwarding_lan_rule
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment
"Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j
input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept
port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j
output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_transtor_forward -m comment --comment "user chain for forwarding"
-j forwarding_transtor_rule
-A zone_transtor_forward -m conntrack --ctstate DNAT -m comment --comment
"Accept port forwards" -j ACCEPT
-A zone_transtor_forward -j zone_transtor_dest_ACCEPT
-A zone_transtor_input -m comment --comment "user chain for input" -j
input_transtor_rule
-A zone_transtor_input -p udp -m udp --dport 67 -m comment --comment
Allow-Tor-DHCP -j ACCEPT
-A zone_transtor_input -p tcp -m tcp --dport 9040 -m comment --comment
Allow-Tor-Transparent -j ACCEPT
-A zone_transtor_input -p udp -m udp --dport 9053 -m comment --comment
Allow-Tor-DNS -j ACCEPT
-A zone_transtor_input -m conntrack --ctstate DNAT -m comment --comment
"Accept port redirections" -j ACCEPT
-A zone_transtor_input -j zone_transtor_src_ACCEPT
-A zone_transtor_output -m comment --comment "user chain for output" -j
output_transtor_rule
-A zone_transtor_output -j zone_transtor_dest_ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j
forwarding_wan_rule
-A zone_wan_forward -m comment --comment "forwarding wan -> *" -j ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment
"Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "user chain for input" -j
input_wan_rule
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept
port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "user chain for output" -j
output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth0.2 -j ACCEPT
COMMIT
# Completed on Fri Jan  2 22:51:39 2015


Any idea what should i reject at the firewall rules?


On Tue, Dec 30, 2014 at 8:36 AM, Michal Zuber <michael@riseup.net> wrote:

Did you try diasbling the firewall and trying without it?


On 12/29/14 7:45 PM, Oğuz Yarımtepe wrote:

Hi,

On Mon, Dec 29, 2014 at 9:00 AM, Michal Zuber <michael@riseup.net> wrote:

  Hi,
1. what about the logs?


  2. I have the following in my iptables.rules to be notified what was
blocked
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
--log-level 7


  I added this to firewall.user and saw that UDP messages are somehow
blocked.

[ 2539.100000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=38735 DF PROTO=UDP
SPT=48397 DPT=9053 LEN=46
[ 2550.550000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=40926 DF PROTO=UDP
SPT=47905 DPT=9053 LEN=50
[ 2563.880000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=43508 DF PROTO=UDP
SPT=37506 DPT=9053 LEN=44
[ 2574.950000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=54347 DF PROTO=UDP
SPT=28425 DPT=9053 LEN=50
[ 2586.200000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=46793 DF PROTO=UDP
SPT=37394 DPT=9053 LEN=46
[ 2598.680000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=48473 DF PROTO=UDP
SPT=57058 DPT=9053 LEN=44
[ 2611.290000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
DST=192.168.2.1 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=58998 DF PROTO=UDP
SPT=58128 DPT=9053 LEN=48






  3. `netstat -nat |grep :53` or `lsof -i :53` shows listening on port 53
? (
https://www.debian-administration.org/article/184/How_to_find_out_which_
process_is_listening_upon_a_port)
4. Did you try host (dig, nslookup) on the router?
5. Doest `dig @ROUTER_IP google.com` work?
6. You could also try watch into the DNS traffic with ` tcpdump -vvv -s 0
-l -n port 53` (http://jontai.me/blog/2011/11/monitoring-dns-queries-
with-tcpdump/)


route -n was strange

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
br-lan
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0
wlan0

netstat -pantu says the ports are right

   netstat -pantu
   Active Internet connections (servers and established)
   Proto Recv-Q Send-Q Local Address           Foreign Address
State       PID/Program name
   tcp        0      0 192.168.2.1:9040        0.0.0.0:*
LISTEN      734/tor
   tcp        0      0 0.0.0.0:80              0.0.0.0:*
LISTEN      756/uhttpd
   tcp        0      0 0.0.0.0:53              0.0.0.0:*
LISTEN      1059/dnsmasq
   tcp        0      0 0.0.0.0:22              0.0.0.0:*
LISTEN      699/dropbear
   tcp        0      0 0.0.0.0:443             0.0.0.0:*
LISTEN      734/tor
   tcp        0    248 192.168.2.1:22          192.168.2.171:44694
ESTABLISHED 1062/dropbear
   tcp        0      0 :::80                   :::*
LISTEN      756/uhttpd
   tcp        0      0 :::53                   :::*
LISTEN      1059/dnsmasq
   tcp        0      0 :::22                   :::*
LISTEN      699/dropbear
   udp        0      0 0.0.0.0:53              0.0.0.0:*
1059/dnsmasq
   udp        0      0 0.0.0.0:67              0.0.0.0:*
1059/dnsmasq
   udp        0      0 192.168.2.1:9053        0.0.0.0:*
734/tor
   udp        0      0 :::546
:::*                                812/odhcp6c
   udp        0      0 :::547
:::*                                669/odhcpd
   udp        0      0 :::53
:::*                                1059/dnsmasq
~

here is iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
delegate_input  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             limit: avg
5/min burst 5 LOG level debug prefix "iptables denied: "

Chain FORWARD (policy DROP)
target     prot opt source               destination
delegate_forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
delegate_output  all  --  anywhere             anywhere

Chain delegate_forward (1 references)
target     prot opt source               destination
forwarding_rule  all  --  anywhere             anywhere             /*
user
chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
zone_lan_forward  all  --  anywhere             anywhere
zone_wan_forward  all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain delegate_input (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
input_rule  all  --  anywhere             anywhere             /* user
chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
syn_flood  tcp  --  anywhere             anywhere             tcp
flags:FIN,SYN,RST,ACK/SYN
zone_lan_input  all  --  anywhere             anywhere
zone_wan_input  all  --  anywhere             anywhere

Chain delegate_output (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
output_rule  all  --  anywhere             anywhere             /* user
chain for output */
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
zone_lan_output  all  --  anywhere             anywhere
zone_wan_output  all  --  anywhere             anywhere

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_transtor_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination

Chain input_lan_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_transtor_rule (1 references)
target     prot opt source               destination

Chain input_wan_rule (1 references)
target     prot opt source               destination

Chain output_lan_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

Chain output_transtor_rule (1 references)
target     prot opt source               destination

Chain output_wan_rule (1 references)
target     prot opt source               destination

Chain reject (3 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere             reject-with
tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with
icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcp
flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP       all  --  anywhere             anywhere

Chain zone_lan_dest_ACCEPT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all  --  anywhere             anywhere             /*
user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
/* Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere

Chain zone_lan_input (1 references)
target     prot opt source               destination
input_lan_rule  all  --  anywhere             anywhere             /* user
chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
/* Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere

Chain zone_lan_output (1 references)
target     prot opt source               destination
output_lan_rule  all  --  anywhere             anywhere             /*
user
chain for output */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain zone_transtor_dest_ACCEPT (1 references)
target     prot opt source               destination

Chain zone_transtor_dest_REJECT (1 references)
target     prot opt source               destination

Chain zone_transtor_forward (0 references)
target     prot opt source               destination
forwarding_transtor_rule  all  --  anywhere
anywhere             /* user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
/* Accept port forwards */
zone_transtor_dest_REJECT  all  --  anywhere
anywhere

Chain zone_transtor_input (0 references)
target     prot opt source               destination
input_transtor_rule  all  --  anywhere             anywhere             /*
user chain for input */
ACCEPT     udp  --  anywhere             anywhere             udp
dpt:bootps /* Allow-Tor-DHCP */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9040
/* Allow-Tor-Transparent */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:9053
/* Allow-Tor-DNS */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
/* Accept port redirections */
zone_transtor_src_REJECT  all  --  anywhere             anywhere

Chain zone_transtor_output (0 references)
target     prot opt source               destination
output_transtor_rule  all  --  anywhere             anywhere
  /*
user chain for output */
zone_transtor_dest_ACCEPT  all  --  anywhere
anywhere

Chain zone_transtor_src_REJECT (1 references)
target     prot opt source               destination

Chain zone_wan_dest_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere

Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan_rule  all  --  anywhere             anywhere             /*
user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
/* Accept port forwards */
zone_wan_dest_REJECT  all  --  anywhere             anywhere

Chain zone_wan_input (1 references)
target     prot opt source               destination
input_wan_rule  all  --  anywhere             anywhere             /* user
chain for input */
ACCEPT     udp  --  anywhere             anywhere             udp
dpt:bootpc /* Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp
echo-request /* Allow-Ping */
ACCEPT     tcp  --  anywhere             anywhere             tcp
dpt:https
/* @rule[5] */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
/* Accept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere

Chain zone_wan_output (1 references)
target     prot opt source               destination
output_wan_rule  all  --  anywhere             anywhere             /*
user
chain for output */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere


I started to lost my Internet connection for other adsl users. When they
connected to normal adsl ssid while the tor router is plugged, they
started
to lost connection.

Seems there is a firewall or network problem.

Anyone can figure it out?

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk




--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk