hello everyone. I was followed tor guide in here:
https://openwrt.org/docs/guide-user/services/tor/client
But I don't want to redirect entire request to tor. Only few selected domain names like: wikipedia.org or pastebin.com Otherwise most pages show chapta login which is not desired. How can I do this? redirect specific domain name to 9053 port maybe?
Maybe redirect matching an ipset with the sites you want?
How can I do that?
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_config_ipset
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls#blocking_ips_based_on_their_domainnames_fqdn_hostnames
Nope I don't want to block it I just need them to re-route to tor network.
I know you don't want to block it.
The examples are for how to use ipsets.
What you will do with ipsets is another thing.
Well can you give me example if its not to much of hassle for you? thanks
I have not done it myself.
So read the documentation, create the ipset, then use the example rule that drops the packets and adopt it to redirect them to the tor.
Maybe someone who already did what I want may write here because I need this and still couldn't manage it. I tried example in your link but still nope
/etc/config/dhcp
list ipset '/pastebin.com/wikipedia.org/routetotor'
/etc/config/firewall
config ipset
option enabled '1'
option name 'routetotor'
option match 'ip'
option storage 'hash'
config rule
option src 'LAN'
option name 'Tor Router'
option dest 'wan'
option target 'ACCEPT'
option ipset 'routetotor dest'
list proto 'tcp'
list proto 'udp'
option src_dport "9053"
The last one should not be a rule, but a redirect.
Target is DNAT, not ACCEPT.
src_dport is the original destination port, should be 80 or 443 for http and https
Then you need a dest_port with the tor port.
That work but now router refuse web, scp or ssh connection I can't reach it to modify something...
There is a warning in the tor page
Set up uHTTPd to listen on alternative ports if required.
I suppose you didn't redirect just ports 80 and 443, but 22 as well which is not necessary in your scenario.
You can try to connect from wan, or with ipv6 if you didn't apply the nat6 redirects.
Otherwise reset the router to defaults and start over.
I just Intercept SSH, DNS and TCP traffic but not HTTP/HTTPS for other domains or didn't disable lan to wan forwarding ( should I? If I do that would it block un-routed requests too?) and I forgot to set alternative ports but connections works even I can't reach router ATM. I will start over and try with uhttpd. If everything ok I will add it in tor page for future use to anyone else.
Since you want to redirect only a few sites, then you should not block lan to wan forwarding.
Also port 22 is not needed to redirected.
Whether you will intercept DNS it is up to you.
Allright I am reset router and start over but one thing got my attention. Seems like source LAN cause all network redirecting. Right now even google ask chapta and youtube says I am in France Did I do something wrong?
config redirect
option src 'LAN'
option name 'Tor Router'
option dest 'wan'
option target 'DNAT'
option ipset 'routetotor dest'
list proto 'tcp'
list proto 'udp'
option src_dport '80'
option dest_port '9040'
The redirect looks right. Let's see the iptables though:
iptables-save -c ; ip6tables-save -c
Verify with ipset list
that the correct addresses are in the routetotor ipset. Also keep in mind that if servers are multi-homed its not possible to distinguish in the firewall.
Ok here it is. I only intercept DNS this time but not TCP nothing route to tor:
> # Generated by iptables-save v1.8.3 on Sun Apr 26 12:31:10 2020
> *nat
> :PREROUTING ACCEPT [84:14597]
> :INPUT ACCEPT [8:769]
> :OUTPUT ACCEPT [15:2141]
> :POSTROUTING ACCEPT [1:120]
> :postrouting_lan_rule - [0:0]
> :postrouting_rule - [0:0]
> :postrouting_wan_rule - [0:0]
> :prerouting_lan_rule - [0:0]
> :prerouting_rule - [0:0]
> :prerouting_wan_rule - [0:0]
> :zone_lan_postrouting - [0:0]
> :zone_lan_prerouting - [0:0]
> :zone_wan_postrouting - [0:0]
> :zone_wan_prerouting - [0:0]
> [87:14793] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
> [62:9267] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
> [25:5526] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
> [69:6071] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
> [0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
> [69:6071] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
> [0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
> [62:9267] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
> [3:196] -A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 9053
> [69:6071] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
> [69:6071] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
> [25:5526] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
> COMMIT
> # Completed on Sun Apr 26 12:31:10 2020
> # Generated by iptables-save v1.8.3 on Sun Apr 26 12:31:10 2020
> *mangle
> :PREROUTING ACCEPT [4906:801832]
> :INPUT ACCEPT [3206:263658]
> :FORWARD ACCEPT [1676:528739]
> :OUTPUT ACCEPT [4901:621363]
> :POSTROUTING ACCEPT [6569:1149782]
> [21:1008] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
> COMMIT
> # Completed on Sun Apr 26 12:31:10 2020
> # Generated by iptables-save v1.8.3 on Sun Apr 26 12:31:10 2020
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> :forwarding_lan_rule - [0:0]
> :forwarding_rule - [0:0]
> :forwarding_wan_rule - [0:0]
> :input_lan_rule - [0:0]
> :input_rule - [0:0]
> :input_wan_rule - [0:0]
> :output_lan_rule - [0:0]
> :output_rule - [0:0]
> :output_wan_rule - [0:0]
> :reject - [0:0]
> :syn_flood - [0:0]
> :zone_lan_dest_ACCEPT - [0:0]
> :zone_lan_forward - [0:0]
> :zone_lan_input - [0:0]
> :zone_lan_output - [0:0]
> :zone_lan_src_ACCEPT - [0:0]
> :zone_wan_dest_ACCEPT - [0:0]
> :zone_wan_dest_REJECT - [0:0]
> :zone_wan_forward - [0:0]
> :zone_wan_input - [0:0]
> :zone_wan_output - [0:0]
> :zone_wan_src_REJECT - [0:0]
> [0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
> [3212:263898] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
> [3193:262158] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
> [2:96] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
> [7:737] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
> [12:1003] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
> [1676:528739] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
> [1588:512982] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
> [88:15757] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
> [0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
> [0:0] -A FORWARD -m comment --comment "!fw3" -j reject
> [0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
> [4913:623139] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
> [4896:620854] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
> [2:224] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
> [15:2061] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
> [10:939] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
> [0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
> [2:96] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
> [0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
> [2:224] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
> [88:15757] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
> [88:15757] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
> [0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
> [0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
> [7:737] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
> [3:196] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
> [4:541] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
> [2:224] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
> [2:224] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
> [4:541] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
> [8:320] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
> [95:17498] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
> [0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
> [0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
> [0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
> [0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
> [0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
> [0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
> [12:1003] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
> [0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
> [0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
> [2:64] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
> [0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
> [10:939] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
> [15:2061] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
> [15:2061] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
> [10:939] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
> COMMIT
> # Completed on Sun Apr 26 12:31:10 2020
> # Generated by ip6tables-save v1.8.3 on Sun Apr 26 12:31:10 2020
> *mangle
> :PREROUTING ACCEPT [33:7039]
> :INPUT ACCEPT [26:2139]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [27:3573]
> :POSTROUTING ACCEPT [27:3573]
> [0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
> COMMIT
> # Completed on Sun Apr 26 12:31:10 2020
> # Generated by ip6tables-save v1.8.3 on Sun Apr 26 12:31:10 2020
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> :forwarding_lan_rule - [0:0]
> :forwarding_rule - [0:0]
> :forwarding_wan_rule - [0:0]
> :input_lan_rule - [0:0]
> :input_rule - [0:0]
> :input_wan_rule - [0:0]
> :output_lan_rule - [0:0]
> :output_rule - [0:0]
> :output_wan_rule - [0:0]
> :reject - [0:0]
> :syn_flood - [0:0]
> :zone_lan_dest_ACCEPT - [0:0]
> :zone_lan_forward - [0:0]
> :zone_lan_input - [0:0]
> :zone_lan_output - [0:0]
> :zone_lan_src_ACCEPT - [0:0]
> :zone_wan_dest_ACCEPT - [0:0]
> :zone_wan_dest_REJECT - [0:0]
> :zone_wan_forward - [0:0]
> :zone_wan_input - [0:0]
> :zone_wan_output - [0:0]
> :zone_wan_src_REJECT - [0:0]
> [0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
> [26:2139] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
> [1:122] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
> [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
> [25:2017] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
> [0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
> [0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
> [0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
> [0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
> [0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
> [0:0] -A FORWARD -m comment --comment "!fw3" -j reject
> [0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
> [27:3573] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
> [13:2457] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
> [12:816] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
> [2:300] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
> [0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
> [0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
> [0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
> [0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
> [12:816] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
> [0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
> [0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
> [0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
> [25:2017] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
> [25:2017] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
> [12:816] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
> [12:816] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
> [25:2017] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
> [0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
> [2:300] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
> [0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
> [0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
> [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
> [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
> [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
> [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
> [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
> [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
> [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
> [0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
> [0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
> [0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
> [0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
> [0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
> [0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
> [0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
> [0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
> [0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
> [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
> [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
> [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
> [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
> [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
> [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
> [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
> [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
> [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
> [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
> [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
> [0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
> [2:300] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
> [2:300] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
> [0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
> COMMIT
> # Completed on Sun Apr 26 12:31:10 2020
If I intercept TCP connection everything route to tor and I can't reach router anymore
> uci -q delete firewall.tcp_int
> uci set firewall.tcp_int="redirect"
> uci set firewall.tcp_int.name="Intercept-TCP"
> uci set firewall.tcp_int.src="lan"
> uci set firewall.tcp_int.dest_port="9040"
> uci set firewall.tcp_int.family="ipv4"
> uci set firewall.tcp_int.proto="tcp"
> uci set firewall.tcp_int.extra="--syn"
> uci set firewall.tcp_int.target="DNAT
> "uci commit firewall
> /etc/init.d/firewall restart
Please use the "Preformatted text </>
" button for logs, scripts, configs and general console output.
Please edit your posting accordingly.
Thanks!
Ops. Clicked wrong button. Ok. How about now?
The DNS interception looks fine and you have 3 hits.
Which makes sense since you are using tcp to access the router.
Make a rule in prerouting to accept the packets destined to the router itself from the lan.