1

Temat: tor nftables

OpenWrt 22.03.2, r19803-9a599fee93

Zainstalowalem tor  ale nie wiem jak przerobić te reguły na nftables  z poradnika dodawane do firewall.user

 . /lib/functions/network.sh
    network_get_physdev IFNAME guest

    iptables -t nat -I PREROUTING -i $IFNAME -p tcp --dport 22 -j REDIRECT --to-ports 22
    iptables -t nat -I PREROUTING -i $IFNAME -p tcp --dport 9050 -j REDIRECT --to-ports 9050
    iptables -t nat -I PREROUTING -i $IFNAME -p udp --dport 53 -j REDIRECT --to-ports 9053
    iptables -t nat -I PREROUTING -i $IFNAME -p tcp --syn -j REDIRECT --to-ports 9040

sam tor wydaje sie ze startuje poprawnie ale polaczenia nie mam

Mon Dec 19 20:19:49 2022 daemon.notice Tor[2152]: Bootstrapped 72% (loading_descriptors): Loading relay descriptors
Mon Dec 19 20:19:49 2022 daemon.notice Tor[2152]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Mon Dec 19 20:19:50 2022 daemon.notice Tor[2152]: Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits
Mon Dec 19 20:19:50 2022 daemon.notice Tor[2152]: Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits
Mon Dec 19 20:19:50 2022 daemon.notice Tor[2152]: Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits
Mon Dec 19 20:19:50 2022 daemon.notice Tor[2152]: Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Mon Dec 19 20:19:50 2022 daemon.notice Tor[2152]: Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Mon Dec 19 20:19:50 2022 daemon.notice Tor[2152]: Bootstrapped 100% (done): Done

2

Odp: tor nftables

Zrób normalne regułki w firewallu: https://openwrt.org/docs/guide-user/services/tor/client

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

3

Odp: tor nftables

ok  tak teraz to oglądam

4 (edytowany przez ad2014 2022-12-24 15:14:46)

Odp: tor nftables

grzebałem przy tych regułach i coś zepsułem i nie umię dojść co ?   - problem jest taki że z sieci goscinnej  nie moge wyswietlic zadnej strony tak jakby dnsy nie działały  , pingi chodzą po numerach  np 8.8.8.8  moge pingowac  , ale adres juz nie dostepny  , 
Całośc robiłem wg poradniaka Cezarego  , na chwile obecna wywaliłem tora i  chce uruchomic tylko ta siec gosciną  aby nastepnie  przejsc do koniguracji tora  .
Qualcomm Atheros QCA9880 802.11bgnac
OpenWrt 22.03.2 r19803-9a599fee93

root@OpenWrt:/etc/config# cat /etc/config/firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config rule
    option name 'ssh'
    option src 'wan'
    option src_ip '192.168.1.1/24'
    option target 'ACCEPT'
    option proto 'tcp'
    option dest_port '22'

config rule
    option name 'luci'
    option src 'wan'
    option src_ip '192.168.1.1/24'
    option target 'ACCEPT'
    option proto 'tcp'
    option dest_port '80'

config zone
    option name 'guest'
    list network 'guest'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'

config forwarding
    option src 'guest'
    option dest 'wan'

config rule
    option src 'guest'
    option proto 'udp'
    option src_port '67-68'
    option dest_port '67-68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option src 'guest'
    option dest_port '53'
    option target 'ACCEPT'
    option family 'ipv4'
    option proto 'tcpudp'
root@OpenWrt:/etc/config# cat /etc/config/network

config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdac:f89e:cdb3::/48'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'lan0'
    list ports 'lan1'
    list ports 'lan2'
    list ports 'lan3'

config interface 'lan'
    option device 'br-lan'
    option proto 'static'
    option ipaddr '192.168.2.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config device
    option name 'wan'
    option macaddr '7a:51:44:6e:25:94'

config interface 'wan'
    option device 'wan'
    option proto 'dhcp'

config interface 'wan6'
    option device 'wan'
    option proto 'dhcpv6'

config interface 'guest'
    option device 'br-guest'
    option proto 'static'
    option ipaddr '172.16.0.1'
    option netmask '255.240.0.0'

config device
    option name 'br-guest'
    option type 'bridge'
    option bridge_empty '1'
root@OpenWrt:/etc/config# cat /etc/config/dhcp

config dnsmasq
    option domainneeded '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
    option nonwildcard '1'
    option localservice '1'
    option ednspacket_max '1232'
    option boguspriv '0'
    option rebind_protection '0'
    option noresolv '1'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv4 'server'
    option dhcpv6 'server'
    option ra 'server'
    option ra_slaac '1'
    list ra_flags 'managed-config'
    list ra_flags 'other-config'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'
    option loglevel '4'

config dhcp 'guest'
    option start '100'
    option limit '150'
    option leasetime '2h'
    option interface 'guest'
root@OpenWrt:/etc/config# cat /etc/config/wireless

config wifi-device 'radio0'
    option type 'mac80211'
    option hwmode '11a'
    option path '1a140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
    option htmode 'VHT80'
    option cell_density '0'
    option channel '48'
    option country 'PL'
    option disabled '0'

config wifi-iface 'radio5AP'
    option device 'radio0'
    option network 'lan'
    option mode 'ap'
    option ssid 'BR2'
    option encryption 'psk2'
    option key 'xxxxxxxxxx'

config wifi-iface 'radio5STA'
    option device 'radio0'
    option mode 'sta'
    option ssid 'H2O5G'
    option encryption 'psk2'
    option key 'xxxxxxxxxxxx'
    option network 'wwan5'

config wifi-iface 'guest'
    option device 'radio0'
    option mode 'ap'
    option network 'guest'
    option ssid 'dom_goscinna'
    option encryption 'psk2'
    option key 'zzzzzzzz'

jak robiłem pierwszy raz to siec goscinna działała  - teraz cos nie działa

5

Odp: tor nftables

naprawiłem - nie wiem co było  -  zaorałem i zrobiłem od nowa 
root@OpenWrt:~# nft list chain inet fw4 dstnat_guest
table inet fw4 {
    chain dstnat_guest {
        meta nfproto ipv4 tcp dport 0-65535 counter packets 49 bytes 2940 redirect to :9040 comment "!fw4: TransPort"
        meta nfproto ipv4 udp dport 53 counter packets 20 bytes 1223 redirect to :9053 comment "!fw4: DNSPort"
        meta nfproto ipv4 tcp dport 9050 counter packets 0 bytes 0 redirect to :9050 comment "!fw4:  SocksPort"
    }
}
wyglada ze działa ale w logu zalewa mnie takie coś

Sat Dec 24 21:47:36 2022 daemon.warn Tor[2105]: Rejecting request for anonymous connection to private address [scrubbed] on a TransPort or NATDPort.  Possible loop in your NAT rules? [59 similar message(s) suppressed in last 360 seconds]

6 (edytowany przez M4tEUSh 2024-05-25 12:34:43)

Odp: tor nftables

Cześć,
Jak skonfigurować reguły firewall tor dla sieci gościnnej? poradnik na stronie jest chyba nieaktualny.
Po dodaniu reguł ze strony https://openwrt.org/docs/guide-user/services/tor/client tylko siec gościnna miała połączenie i to nie przez tor, nie było internetu na wanie i skończyło się resetem ustawień routera

7

Odp: tor nftables

Sprawdziłem i uzupełniłem poradnik: https://eko.one.pl/?p=openwrt-tor

U mnie działa.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.