Few days ago the throughput of my Tor relay went down to nearly zero for
about 3 minutes. It turned out that the reason (maybe) was a change here
in my iptables rules. Especially I switched these 2 lines:
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
and run then few hours later into problems. And switched back ofc.
An explanation for the dropdown was given in [1]. Given that the
explanation is right:
How is the Tor application harmed if an attacker mangles packets so that
the state of them are INVALID for the conntrack module but they do pass
the RELATED,ESTABLISHED rule ?
Few days ago the throughput of my Tor relay went down to nearly zero for
about 3 minutes. It turned out that the reason (maybe) was a change here
in my iptables rules. Especially I switched these 2 lines:
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
and run then few hours later into problems. And switched back ofc.
An explanation for the dropdown was given in [1]. Given that the
explanation is right:
I use these rules, with the RELATED,ESTABLISHED rule extended by the "-m conntrack ! --ctstate INVALID" filter as recommended in [1] and before the INVALID DROP rule. Works like a charm and with no changes to the number of connections or traffic.
So the explanation, that INVALID packages are passing through the RELATED,ESTABLISHED seems plausible. Sadly I can't answer your following question.
···
On 8/8/23 07:21, Toralf Förster wrote:
How is the Tor application harmed if an attacker mangles packets so that
the state of them are INVALID for the conntrack module but they do pass
the RELATED,ESTABLISHED rule ?