firewall: Accept inbound Tor traffic before applying the location filter

Inbound Tor traffic conflicts with Location block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into Location block chain. Note this affects Tor relay operators only. Rolled forward as ongoing from https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90@ipfire.org/, note the documentation in the wiki needs to be updated once this landed in production. Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2026-04-25 18:32:57 +02:00 · 2021-12-18 14:47:56 +01:00
parent 0e7bfb1343
commit 4d25c1f39a
1 changed files with 5 additions and 3 deletions
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -227,6 +227,10 @@ iptables_init() {
 		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
 	fi

+	# Tor (inbound)
+	iptables -N TOR_INPUT
+	iptables -A INPUT -j TOR_INPUT
+
 	# Location Block
 	iptables -N LOCATIONBLOCK
 	iptables -A INPUT -j LOCATIONBLOCK
@@ -260,9 +264,7 @@ iptables_init() {
 	iptables -N OVPNINPUT
 	iptables -A INPUT -j OVPNINPUT

-	# Tor (inbound and outbound)
-	iptables -N TOR_INPUT
-	iptables -A INPUT -j TOR_INPUT
+	# Tor (outbound)
 	iptables -N TOR_OUTPUT
 	iptables -A OUTPUT -j TOR_OUTPUT