Hi, On Mon, Dec 29, 2014 at 9:00 AM, Michal Zuber <mich...@riseup.net> wrote:
> Hi, > 1. what about the logs? > > 2. I have the following in my iptables.rules to be notified what was > blocked > -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " > --log-level 7 > > I added this to firewall.user and saw that UDP messages are somehow blocked. [ 2539.100000] iptables denied: IN=wlan0 OUT= MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171 DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=38735 DF PROTO=UDP SPT=48397 DPT=9053 LEN=46 [ 2550.550000] iptables denied: IN=wlan0 OUT= MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171 DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=40926 DF PROTO=UDP SPT=47905 DPT=9053 LEN=50 [ 2563.880000] iptables denied: IN=wlan0 OUT= MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171 DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=43508 DF PROTO=UDP SPT=37506 DPT=9053 LEN=44 [ 2574.950000] iptables denied: IN=wlan0 OUT= MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148 DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=54347 DF PROTO=UDP SPT=28425 DPT=9053 LEN=50 [ 2586.200000] iptables denied: IN=wlan0 OUT= MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171 DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=46793 DF PROTO=UDP SPT=37394 DPT=9053 LEN=46 [ 2598.680000] iptables denied: IN=wlan0 OUT= MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171 DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=48473 DF PROTO=UDP SPT=57058 DPT=9053 LEN=44 [ 2611.290000] iptables denied: IN=wlan0 OUT= MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148 DST=192.168.2.1 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=58998 DF PROTO=UDP SPT=58128 DPT=9053 LEN=48 > 3. `netstat -nat |grep :53` or `lsof -i :53` shows listening on port 53 ? ( > https://www.debian-administration.org/article/184/How_to_find_out_which_ > process_is_listening_upon_a_port) > 4. Did you try host (dig, nslookup) on the router? > 5. Doest `dig @ROUTER_IP google.com` work? > 6. You could also try watch into the DNS traffic with ` tcpdump -vvv -s 0 > -l -n port 53` (http://jontai.me/blog/2011/11/monitoring-dns-queries- > with-tcpdump/) route -n was strange # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 netstat -pantu says the ports are right netstat -pantu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.2.1:9040 0.0.0.0:* LISTEN 734/tor tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 756/uhttpd tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1059/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 699/dropbear tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 734/tor tcp 0 248 192.168.2.1:22 192.168.2.171:44694 ESTABLISHED 1062/dropbear tcp 0 0 :::80 :::* LISTEN 756/uhttpd tcp 0 0 :::53 :::* LISTEN 1059/dnsmasq tcp 0 0 :::22 :::* LISTEN 699/dropbear udp 0 0 0.0.0.0:53 0.0.0.0:* 1059/dnsmasq udp 0 0 0.0.0.0:67 0.0.0.0:* 1059/dnsmasq udp 0 0 192.168.2.1:9053 0.0.0.0:* 734/tor udp 0 0 :::546 :::* 812/odhcp6c udp 0 0 :::547 :::* 669/odhcpd udp 0 0 :::53 :::* 1059/dnsmasq ~ here is iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination delegate_input all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " Chain FORWARD (policy DROP) target prot opt source destination delegate_forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination delegate_output all -- anywhere anywhere Chain delegate_forward (1 references) target prot opt source destination forwarding_rule all -- anywhere anywhere /* user chain for forwarding */ ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED zone_lan_forward all -- anywhere anywhere zone_wan_forward all -- anywhere anywhere reject all -- anywhere anywhere Chain delegate_input (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere input_rule all -- anywhere anywhere /* user chain for input */ ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN zone_lan_input all -- anywhere anywhere zone_wan_input all -- anywhere anywhere Chain delegate_output (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere output_rule all -- anywhere anywhere /* user chain for output */ ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED zone_lan_output all -- anywhere anywhere zone_wan_output all -- anywhere anywhere Chain forwarding_lan_rule (1 references) target prot opt source destination Chain forwarding_rule (1 references) target prot opt source destination Chain forwarding_transtor_rule (1 references) target prot opt source destination Chain forwarding_wan_rule (1 references) target prot opt source destination Chain input_lan_rule (1 references) target prot opt source destination Chain input_rule (1 references) target prot opt source destination Chain input_transtor_rule (1 references) target prot opt source destination Chain input_wan_rule (1 references) target prot opt source destination Chain output_lan_rule (1 references) target prot opt source destination Chain output_rule (1 references) target prot opt source destination Chain output_transtor_rule (1 references) target prot opt source destination Chain output_wan_rule (1 references) target prot opt source destination Chain reject (3 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain syn_flood (1 references) target prot opt source destination RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 DROP all -- anywhere anywhere Chain zone_lan_dest_ACCEPT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain zone_lan_forward (1 references) target prot opt source destination forwarding_lan_rule all -- anywhere anywhere /* user chain for forwarding */ ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port forwards */ zone_lan_dest_ACCEPT all -- anywhere anywhere Chain zone_lan_input (1 references) target prot opt source destination input_lan_rule all -- anywhere anywhere /* user chain for input */ ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port redirections */ zone_lan_src_ACCEPT all -- anywhere anywhere Chain zone_lan_output (1 references) target prot opt source destination output_lan_rule all -- anywhere anywhere /* user chain for output */ zone_lan_dest_ACCEPT all -- anywhere anywhere Chain zone_lan_src_ACCEPT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain zone_transtor_dest_ACCEPT (1 references) target prot opt source destination Chain zone_transtor_dest_REJECT (1 references) target prot opt source destination Chain zone_transtor_forward (0 references) target prot opt source destination forwarding_transtor_rule all -- anywhere anywhere /* user chain for forwarding */ ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port forwards */ zone_transtor_dest_REJECT all -- anywhere anywhere Chain zone_transtor_input (0 references) target prot opt source destination input_transtor_rule all -- anywhere anywhere /* user chain for input */ ACCEPT udp -- anywhere anywhere udp dpt:bootps /* Allow-Tor-DHCP */ ACCEPT tcp -- anywhere anywhere tcp dpt:9040 /* Allow-Tor-Transparent */ ACCEPT udp -- anywhere anywhere udp dpt:9053 /* Allow-Tor-DNS */ ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port redirections */ zone_transtor_src_REJECT all -- anywhere anywhere Chain zone_transtor_output (0 references) target prot opt source destination output_transtor_rule all -- anywhere anywhere /* user chain for output */ zone_transtor_dest_ACCEPT all -- anywhere anywhere Chain zone_transtor_src_REJECT (1 references) target prot opt source destination Chain zone_wan_dest_ACCEPT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain zone_wan_dest_REJECT (1 references) target prot opt source destination reject all -- anywhere anywhere Chain zone_wan_forward (1 references) target prot opt source destination forwarding_wan_rule all -- anywhere anywhere /* user chain for forwarding */ ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port forwards */ zone_wan_dest_REJECT all -- anywhere anywhere Chain zone_wan_input (1 references) target prot opt source destination input_wan_rule all -- anywhere anywhere /* user chain for input */ ACCEPT udp -- anywhere anywhere udp dpt:bootpc /* Allow-DHCP-Renew */ ACCEPT icmp -- anywhere anywhere icmp echo-request /* Allow-Ping */ ACCEPT tcp -- anywhere anywhere tcp dpt:https /* @rule[5] */ ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port redirections */ zone_wan_src_REJECT all -- anywhere anywhere Chain zone_wan_output (1 references) target prot opt source destination output_wan_rule all -- anywhere anywhere /* user chain for output */ zone_wan_dest_ACCEPT all -- anywhere anywhere Chain zone_wan_src_REJECT (1 references) target prot opt source destination reject all -- anywhere anywhere I started to lost my Internet connection for other adsl users. When they connected to normal adsl ssid while the tor router is plugged, they started to lost connection. Seems there is a firewall or network problem. Anyone can figure it out? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
