Hi all,
My tor relays[1] traffic decreased a lot and I think this *might* be connected to some kind of DDOS attack. So I wanted to use this situation to set up some DDOS protection. For that I stumbled upon Enkidus tor DDOS mitigation script. [2] However, this script is made for `iptables`, not `nftables`. I use `firewalld` with `nftables` on my system, since this seems to be the new default. [3] I don't really know that much about firewalls, so this situation overwhelms me a bit. In the README of Enkidus rules it says:
Practically all linux systems come with iptables or more recently
with nftables which basically does the same and more. So you won't need to install iptables. Just type iptables -V . If you see a version, you have it. The same with ipset . An ipset -v will do the job. In some rare cases you may not have ipset installed and installing it is as simple as apt-get ipset or yum install ipset or...
This seems to imply that the script should work fine with `nftables` as well. This is also what Enkidu seems to state in a relevant gitlab issue: [4]
nftables interprets all the iptables rules just fine so the provided
scripts will work regardless of which one you have.
But it's not true! The script failed on my server, complaining that the `iptables` command couldn't be found (and no rules had been applied).
So how can I apply proper DDOS protection firewall rules whilst using `nftables`? Is there some easy way to modify the script to make it work?
Kind regards Top
[1]: https://metrics.torproject.org/rs.html#search/toptor [2]: https://github.com/Enkidu-6/tor-ddos [3]: https://wiki.debian.org/nftables [4]: https://gitlab.torproject.org/tpo/community/support/-/issues/40093
Hi
What OS?
What is the result when you type iptables -V and ipset -v ?
The script will check the OS and if it doesn't come with ipset installed by default, it will install it before running any rules and in Ubuntu and Debian, installing ipset automatically installs iptables as well.
If you get an error even though you have iptables, then there must be another problem. Are you running the script as root? I'm running the same script on Almalinux 9+ which comes with nftables and firewalld by default and with no problem.
Regards,
Enkidu-6
On 10/22/2024 1:24 PM, Top wrote:
Hi all,
My tor relays[1] traffic decreased a lot and I think this *might* be connected to some kind of DDOS attack. So I wanted to use this situation to set up some DDOS protection. For that I stumbled upon Enkidus tor DDOS mitigation script. [2] However, this script is made for `iptables`, not `nftables`. I use `firewalld` with `nftables` on my system, since this seems to be the new default. [3] I don't really know that much about firewalls, so this situation overwhelms me a bit. In the README of Enkidus rules it says:
Practically all linux systems come with iptables or more recently
with nftables which basically does the same and more. So you won't need to install iptables. Just type iptables -V . If you see a version, you have it. The same with ipset . An ipset -v will do the job. In some rare cases you may not have ipset installed and installing it is as simple as apt-get ipset or yum install ipset or...
This seems to imply that the script should work fine with `nftables` as well. This is also what Enkidu seems to state in a relevant gitlab issue: [4]
nftables interprets all the iptables rules just fine so the provided
scripts will work regardless of which one you have.
But it's not true! The script failed on my server, complaining that the `iptables` command couldn't be found (and no rules had been applied).
So how can I apply proper DDOS protection firewall rules whilst using `nftables`? Is there some easy way to modify the script to make it work?
Kind regards Top
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Tuesday, 22 October 2024 19:24 Top wrote:
My tor relays[1] traffic decreased a lot and I think this *might* be connected to some kind of DDOS attack. So I wanted to use this situation to set up some DDOS protection. For that I stumbled upon Enkidus tor DDOS mitigation script. [2] However, this script is made for `iptables`, not `nftables`. I use `firewalld` with `nftables` on my system, since this seems to be the new default. [3] I don't really know that much about firewalls, so this situation overwhelms me a bit.
So how can I apply proper DDOS protection firewall rules whilst using `nftables`? Is there some easy way to modify the script to make it work?
Nftables is just a single simple text file ;-)
My nftables examples: https://github.com/boldsuck/tor-relay-bootstrap/tree/nft/etc
It's actually the same thing that Bo posted here: https://gitlab.torproject.org/tpo/community/support/-/issues/40093
If you have an exit, surgprotector is more suitable.
* Top:
The script failed on my server, complaining that the `iptables` command couldn't be found (and no rules had been applied).
You provided too little information to offer detailed advice. Best not to interpret error messages if you can post actual logs instead. Generally speaking, your problems might be related to your PATH variable content during script execution. You also may find [1] generally useful.
[1] https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nf...
So how can I apply proper DDOS protection firewall rules whilst using `nftables`? Is there some easy way to modify the script to make it work?
The question of difficulty depends on your personal knowledge and skills. Based on your own assessment, meddling with Kernel routing tables might be beyond your current level of experience. You can sabotage your server's operation and lock yourself out, so I urge you to get comfortable with the whole subject in a test environment with backup console access, before taking on a remote production server.
-Ralph
On 22/10/24 14:24, Top wrote:
Hi all,
My tor relays[1] traffic decreased a lot and I think this *might* be connected to some kind of DDOS attack. So I wanted to use this situation to set up some DDOS protection. For that I stumbled upon Enkidus tor DDOS mitigation script. [2]
I believe that the mitigations found in the community-maintained anti-DDoS scripts, such as limiting the number of open connections from a single IP, are now integrated into tor itself.
However, this script is made for `iptables`, not `nftables`. I use `firewalld` with `nftables` on my system, since this seems to be the new default. [3] I don't really know that much about firewalls, so this situation overwhelms me a bit. In the README of Enkidus rules it says:
Practically all linux systems come with iptables or more recently
with nftables which basically does the same and more. So you won't need to install iptables. Just type iptables -V . If you see a version, you have it. The same with ipset . An ipset -v will do the job. In some rare cases you may not have ipset installed and installing it is as simple as apt-get ipset or yum install ipset or...
You may want to consider installing the iptables-nft package, which offers a compatibility layer for iptables on Fedora/CentOS.
This seems to imply that the script should work fine with `nftables` as well. This is also what Enkidu seems to state in a relevant gitlab issue: [4]
nftables interprets all the iptables rules just fine so the provided
scripts will work regardless of which one you have.
But it's not true! The script failed on my server, complaining that the `iptables` command couldn't be found (and no rules had been applied).
So how can I apply proper DDOS protection firewall rules whilst using `nftables`? Is there some easy way to modify the script to make it work?
Kind regards Top
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi,
thanks for the replies! I'm gonna answer a few questions. Regarding Enkidu: - I use Debian - `iptables -V` says `-bash: iptables: command not found` - `ipset -v` says `ipset v7.17, protocol version: 7` - I'm running Debian but the installation of `ipset` did not install `iptables` - I am running the script with root - Besides, I don't *want* to use `iptables` and `nftables` - so I don't even want `iptables` to be installed
Regarding boldsuck: Thanks for the information! I might try to adapt your example to my situation. I do not have an exit but two guards.
Regarding Ralph: - The logs basically keep repeating that `iptables` could not be found. For example: ``` ./rules.sh: line 3: iptables-save: command not found ./rules.sh: line 4: ip6tables-save: command not found ./rules.sh: line 6: iptables: command not found ./rules.sh: line 7: ip6tables: command not found ``` - I don't think my PATH is my problem, since I really don't have (nor want) `iptables` installed - I can't lock myself out since I can always access the server directly without `ssh`. Thanks for the warning though
Regarding tor-relays+tor-relays: - Interesting that anti-DDoS is now integrated! - The `iptables-nft` package does not exist on my machine since I run Debian
Kind regards Top
On 23/10/2024 04:49, tor-relays+tor-relays@queer.cat wrote:
On 22/10/24 14:24, Top wrote:
Hi all,
My tor relays[1] traffic decreased a lot and I think this *might* be connected to some kind of DDOS attack. So I wanted to use this situation to set up some DDOS protection. For that I stumbled upon Enkidus tor DDOS mitigation script. [2]
I believe that the mitigations found in the community-maintained anti-DDoS scripts, such as limiting the number of open connections from a single IP, are now integrated into tor itself.
However, this script is made for `iptables`, not `nftables`. I use `firewalld` with `nftables` on my system, since this seems to be the new default. [3] I don't really know that much about firewalls, so this situation overwhelms me a bit. In the README of Enkidus rules it says:
> Practically all linux systems come with iptables or more recently with nftables which basically does the same and more. So you won't need to install iptables. Just type iptables -V . If you see a version, you have it. The same with ipset . An ipset -v will do the job. In some rare cases you may not have ipset installed and installing it is as simple as apt-get ipset or yum install ipset or...
You may want to consider installing the iptables-nft package, which offers a compatibility layer for iptables on Fedora/CentOS.
This seems to imply that the script should work fine with `nftables` as well. This is also what Enkidu seems to state in a relevant gitlab issue: [4]
> nftables interprets all the iptables rules just fine so the provided scripts will work regardless of which one you have.
But it's not true! The script failed on my server, complaining that the `iptables` command couldn't be found (and no rules had been applied).
So how can I apply proper DDOS protection firewall rules whilst using `nftables`? Is there some easy way to modify the script to make it work?
Kind regards Top
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
In modern Debian, there is no more "iptabbles-nft" package. The package "iptables" IS iptables-nft. When you $ sudo apt-get install iptables, you will only get iptables-nft. The optables command is a soft-link to it.
This is a translation layer that takes iptables rules and inserts them as nft rules into your netfilter tables.
With Ubuntu, installing ipset automatically installs iptables along with it. As others mentioned, modern Debian doesn't do that. I've modified the script to do that as well in the new version (v7.0.5).
As it is, you neither have iptables nor nftables and since you don't want to install them at all, then there's no point in running the script. As it's clearly stated in the README file of the repository, my script uses iptables-nft to accomplish the task of mitigating the attacks and it's not something you can accomplish using firewalld or UFW, at least not to that extent. The goal of those firewalls is to simplify the rules for people who don't want to deal with complexities of iptables/nftables and in doing so, they do not offer the more complex features that iptables-nft provides.
Regards,
Enkidu
On 10/23/2024 4:40 AM, Top wrote:
Hi,
thanks for the replies! I'm gonna answer a few questions. Regarding Enkidu:
- I use Debian
- `iptables -V` says `-bash: iptables: command not found`
- `ipset -v` says `ipset v7.17, protocol version: 7`
- I'm running Debian but the installation of `ipset` did not install
`iptables`
- I am running the script with root
- Besides, I don't *want* to use `iptables` and `nftables` - so I
don't even want `iptables` to be installed
Regarding boldsuck: Thanks for the information! I might try to adapt your example to my situation. I do not have an exit but two guards.
Regarding Ralph:
- The logs basically keep repeating that `iptables` could not be
found. For example:
./rules.sh: line 3: iptables-save: command not found ./rules.sh: line 4: ip6tables-save: command not found ./rules.sh: line 6: iptables: command not found ./rules.sh: line 7: ip6tables: command not found
- I don't think my PATH is my problem, since I really don't have (nor
want) `iptables` installed
- I can't lock myself out since I can always access the server
directly without `ssh`. Thanks for the warning though
Regarding tor-relays+tor-relays:
- Interesting that anti-DDoS is now integrated!
- The `iptables-nft` package does not exist on my machine since I run
Debian
Kind regards Top
On 23/10/2024 04:49, tor-relays+tor-relays@queer.cat wrote:
On 22/10/24 14:24, Top wrote:
Hi all,
My tor relays[1] traffic decreased a lot and I think this *might* be connected to some kind of DDOS attack. So I wanted to use this situation to set up some DDOS protection. For that I stumbled upon Enkidus tor DDOS mitigation script. [2]
I believe that the mitigations found in the community-maintained anti-DDoS scripts, such as limiting the number of open connections from a single IP, are now integrated into tor itself.
However, this script is made for `iptables`, not `nftables`. I use `firewalld` with `nftables` on my system, since this seems to be the new default. [3] I don't really know that much about firewalls, so this situation overwhelms me a bit. In the README of Enkidus rules it says:
> Practically all linux systems come with iptables or more recently with nftables which basically does the same and more. So you won't need to install iptables. Just type iptables -V . If you see a version, you have it. The same with ipset . An ipset -v will do the job. In some rare cases you may not have ipset installed and installing it is as simple as apt-get ipset or yum install ipset or...
You may want to consider installing the iptables-nft package, which offers a compatibility layer for iptables on Fedora/CentOS.
This seems to imply that the script should work fine with `nftables` as well. This is also what Enkidu seems to state in a relevant gitlab issue: [4]
> nftables interprets all the iptables rules just fine so the provided scripts will work regardless of which one you have.
But it's not true! The script failed on my server, complaining that the `iptables` command couldn't be found (and no rules had been applied).
So how can I apply proper DDOS protection firewall rules whilst using `nftables`? Is there some easy way to modify the script to make it work?
Kind regards Top
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Wednesday, 23 October 2024 04:49 tor-relays+tor-relays@queer.cat wrote:
I believe that the mitigations found in the community-maintained anti-DDoS scripts, such as limiting the number of open connections from a single IP, are now integrated into tor itself.
I think you are confusing the client to relay DoS mitigations with relay to relay.
tor-relays@lists.torproject.org
-
boldsuck -
Chris Enkidu-6 -
clearly@ivegotyour.pw -
Ralph Seichter -
Top -
tor-relays+tor-relays@queer.cat