Hi,
I'm new to this list, so I apologise when my problem has been solved already.
I'm runing new tor router as a non-exit relay, with ORPort 443 and DirPort 80. Server is running on Debian stable and tor version is 0.2.2.35. Tor is running under debian-tor user. I have restrictive iptables firewall rules (in both directions, INPUT and OUTPUT). I do not like fw rules of type "all outgoing is allowed". So I set fw up as found somewhere on torproject.org wiki, with "-m owner --uid-owner debian-tor":
IPTABLES -P INPUT DROP IPTABLES -P OUTPUT DROP IPTABLES -P FORWARD DROP ... ... IPTABLES -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 --sport 1024: -d ${MYIP} --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT IPTABLES -A OUTPUT -o eth0 -p tcp -s ${MYIP} -d 0.0.0.0/0 -m state --state NEW,ESTABLISHED -m owner --uid-owner debian-tor -j ACCEPT
In such configuration fw has been dropping large numbers of packets with uid 0 and packets with no uid set. And it seems that there was almost no tor traffic on relay. So I changed OUTPUT rule to:
IPTABLES -A OUTPUT -o eth0 -p tcp -s ${MYIP} -d 0.0.0.0/0 -m state --state NEW,ESTABLISHED -j ACCEPT
and everything worked fine. I tried to use 0.2.2.37, 0.2.3.17-beta precompiled deb packages, tried to compile from source downloaded from torproject.org, but packet dropping was the same on every version of tor. Last thing I did, was update fw rules to:
IPTABLES -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 --sport 1024: -d ${MYIP} --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT IPTABLES -A OUTPUT -o eth0 -p tcp -s ${MYIP} -d 0.0.0.0/0 -m state --state NEW,ESTABLISHED -m owner --uid-owner debian-tor -j ACCEPT IPTABLES -A OUTPUT -o eth0 -p tcp -s ${MYIP} -d 0.0.0.0/0 -m state --state NEW,ESTABLISHED -j ACCEPT
to count packets traversing each OUTPUT rule (with and without uid to "debian- tor" set). 22% of all packets (it is 11% of bytes of that traffic) sent by tor relay was uid not set to "debian-tor".
Why is tor sending packets with uid not set to "debian-tor"?
Regards Tony