Redirect domain name request to tor network

Ok how I am gonna do it with prerouting? It is not accept ssh connections right now but I have access to luci since I set alternative ports... wait forget that even alternative ports not reachable :S TCP intercepts them all :S It seems I will need another reset but we are getting close...

As far as I know there is no way to do it in Luci directly. You'll have to write the iptables command in /etc/firewall.user so that it runs when you start the firewall.
iptables -t nat -I prerouting_lan_rule -d 192.168.1.1 -j ACCEPT

here it is with DNS and TCP intercept, alternative ports, prerouting:

# Generated by iptables-save v1.8.3 on Mon Apr 27 16:28:31 2020
*nat
:PREROUTING ACCEPT [342:55401]
:INPUT ACCEPT [263:15015]
:OUTPUT ACCEPT [499:36078]
:POSTROUTING ACCEPT [3:204]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[593:69318] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[557:64932] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[36:4386] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[627:68629] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[624:68425] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[84:5782] -A prerouting_lan_rule -d 192.168.1.1/32 -j ACCEPT
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[557:64932] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 9053
[196:10096] -A zone_lan_prerouting -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040
[624:68425] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[624:68425] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[36:4386] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Mon Apr 27 16:28:31 2020
# Generated by iptables-save v1.8.3 on Mon Apr 27 16:28:31 2020
*mangle
:PREROUTING ACCEPT [37343:32111828]
:INPUT ACCEPT [32959:28704689]
:FORWARD ACCEPT [4190:3388661]
:OUTPUT ACCEPT [28109:24416060]
:POSTROUTING ACCEPT [32265:27803349]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Apr 27 16:28:31 2020
# Generated by iptables-save v1.8.3 on Mon Apr 27 16:28:31 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[53:9294] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[32907:28695435] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[32353:28658760] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[198:10200] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[442:29517] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[112:7158] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[4190:3388661] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[4031:3347173] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[159:41488] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[18:1755] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[28094:24415033] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[27532:24375371] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3:275] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[559:39387] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[58:3658] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[8:1936] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[198:10200] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[3:275] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[159:41488] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[159:41488] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[442:29517] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[196:10096] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[246:19421] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[3:275] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[3:275] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[246:19421] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[34:1372] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[684:79503] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[112:7158] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[46:1564] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[66:5594] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[559:39387] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[559:39387] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[66:5594] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Apr 27 16:28:31 2020
# Generated by ip6tables-save v1.8.3 on Mon Apr 27 16:28:31 2020
*mangle
:PREROUTING ACCEPT [690:56591]
:INPUT ACCEPT [521:44245]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [542:67898]
:POSTROUTING ACCEPT [545:68050]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Apr 27 16:28:31 2020
# Generated by ip6tables-save v1.8.3 on Mon Apr 27 16:28:31 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[521:44245] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[518:44093] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[3:152] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[542:67898] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[338:50076] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[172:13320] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[32:4502] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[172:13320] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[518:44093] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[518:44093] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[172:13320] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[172:13320] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[518:44093] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[32:4502] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[3:152] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[3:152] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[32:4502] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[32:4502] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Apr 27 16:28:31 2020

Some sites work some not :S eg: pastebin.com still not reachable

I see quite a lot of tcp flags here, but the tutorial mentions only syn.

[196:10096] -A zone_lan_prerouting -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040

Moreover I don't see any ipset in place so everything should be redirected to tor and you should debug there too to verify why it isn't working.

Ok this is step by step guide so look it where it goes wrong:

1 – Reset router setup password
2 – Alternative ports set from ssh

uci -q delete uhttpd.main.listen_http
uci add_list uhttpd.main.listen_http="0.0.0.0:8080"
uci add_list uhttpd.main.listen_http="[::]:8080"
uci -q delete uhttpd.main.listen_https
uci add_list uhttpd.main.listen_https="0.0.0.0:8443"
uci add_list uhttpd.main.listen_https="[::]:8443"
uci commit uhttpd
/etc/init.d/uhttpd restart

3 – Put prerouting in /etc/firewall.user

iptables -t nat -I prerouting_lan_rule -d 192.168.1.1 -j ACCEPT

4 – Add ipset line in /etc/config/dhcp under dnsmasq

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	list ipset '/pastebin.com/torproject.org/routetotor'

5 – Tor install and base setup

opkg update
opkg install tor
sed -i -e "
/^AutomapHostsOnResolve/s/^/#/
\$a AutomapHostsOnResolve 1
/^VirtualAddrNetwork/s/^/#/
\$a VirtualAddrNetworkIPv4 172.16.0.0/12
\$a VirtualAddrNetworkIPv6 fc00::/7
/^DNSPort/s/^/#/
\$a DNSPort 0.0.0.0:9053
\$a DNSPort [::]:9053
/^TransPort/s/^/#/
\$a TransPort 0.0.0.0:9040
\$a TransPort [::]:9040
" /etc/tor/torrc
/etc/init.d/tor restart

6 – Firewall DNS and TCP intercepts setup

uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.dest_port="9053"
uci set firewall.dns_int.family="ipv4"
uci set firewall.dns_int.proto="udp"
uci set firewall.dns_int.target="DNAT"
uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set firewall.tcp_int.name="Intercept-TCP"
uci set firewall.tcp_int.src="lan"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.family="ipv4"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn"
uci set firewall.tcp_int.target="DNAT"
uci commit firewall
etc/init.d/firewall restart

7 – Adding ipset route to /etc/config/firewall file

config ipset
	option enabled '1'
	option name 'routetotor'
	option match 'ip'
	option storage 'hash'

config redirect
	option src 'LAN'
	option name 'TorHTTP'
	option dest 'wan'
	option target 'DNAT'
	option ipset 'routetotor dest'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '80'
	option dest_port '9040'
config redirect
	option src 'LAN'
	option name 'TorHTTPs'
	option dest 'wan'
	option target 'DNAT'
	option ipset 'routetotor dest'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '443'
	option dest_port '9040'

What am I missing?

I don't think that there is something missing.
Step 3 is excluding the traffic to your router from redirections. So the alternative ports on step 2 should not be necessary anyway.

Next you need to see if the firewall rules have hits when you try to access these sites.
iptables-save -c | grep routetotor
Likewise there should not be any hit increase when you visit other sites.
Then you need to verify that tor server is indeed receiving the packets
tcpdump -i any -vn tcp port 9040
Check the troubleshooting guide if there is anything suspicious.

tcpdump give just 1 line return

 tcpdump -i any -vn tcp port 9040
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes

iptables give no return

iptables-save -c | grep routetotor

pastebin, imgur reachable but torproject still not reachable. It is in ipset line but not reachable from tor network itself? I just checked and page isn't down right now :S but tor browser/bundle can reach it. May be need shock5 routing?

Try it again like this: iptables-save -c | grep -i tor

Still nothing. Well is this command save output to a file like "/etc/logs" or directly to terminal?

Very interesting other pages work but not tor page itself :thinking:

It is printing to terminal, skip the | grep -i tor

we got it here it is:

# Generated by iptables-save v1.8.3 on Wed Apr 29 23:03:06 2020
*nat
:PREROUTING ACCEPT [10286:1844475]
:INPUT ACCEPT [6478:353419]
:OUTPUT ACCEPT [3836:274625]
:POSTROUTING ACCEPT [6:648]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[16724:2190099] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[9371:891628] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[7353:1298471] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[6234:575923] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[2:376] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[6228:575275] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[1591:113410] -A prerouting_lan_rule -d 192.168.1.1/32 -j ACCEPT
[2:376] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[9371:891628] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3 : Intercept-DNS" -j REDIRECT --to-ports 9053
[4867:233656] -A zone_lan_prerouting -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040
[6228:575275] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[6228:575275] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[7353:1298471] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan pre                          routing rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Apr 29 23:03:06 2020
# Generated by iptables-save v1.8.3 on Wed Apr 29 23:03:06 2020
*mangle
:PREROUTING ACCEPT [559723:400734010]
:INPUT ACCEPT [473191:387331473]
:FORWARD ACCEPT [78838:11885927]
:OUTPUT ACCEPT [492035:378901797]
:POSTROUTING ACCEPT [570802:390785481]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --co                          mment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Apr 29 23:03:06 2020
# Generated by iptables-save v1.8.3 on Wed Apr 29 23:03:06 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[17:1633] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[473176:387329920] -A INPUT -m comment --comment "!fw3: Custom input rule chain"                           -j input_rule
[466243:386941664] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m commen                          t --comment "!fw3" -j ACCEPT
[4868:233704] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment                           --comment "!fw3" -j syn_flood
[6606:363948] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[327:24308] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[78838:11885927] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule c                          hain" -j forwarding_rule
[75034:11224243] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m commen                          t --comment "!fw3" -j ACCEPT
[3804:661684] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forwa                          rd
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[17:1633] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[492022:378901060] -A OUTPUT -m comment --comment "!fw3: Custom output rule chai                          n" -j output_rule
[488149:378623718] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comme                          nt --comment "!fw3" -j ACCEPT
[3:725] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[3870:276617] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-r                          eset
[154:18772] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-p                          ort-unreachable
[4868:233704] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limi                          t --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[3:725] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[3804:661684] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forward                          ing rule chain" -j forwarding_lan_rule
[3804:661684] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan fo                          rwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3                          : Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6606:363948] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rul                          e chain" -j input_lan_rule
[4867:233656] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment                           "!fw3: Accept port redirections" -j ACCEPT
[1739:130292] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCE                          PT
[3:725] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule ch                          ain" -j output_lan_rule
[3:725] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1739:130292] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRAC                          KED -m comment --comment "!fw3" -j ACCEPT
[73:2920] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m co                          mment --comment "!fw3: Prevent NAT leakage" -j DROP
[7601:935381] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j A                          CCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule                           chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j                           zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3:                           Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3                          : Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[327:24308] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule                           chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: All                          ow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3                          : Allow-Ping" -j ACCEPT
[173:5536] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j                           ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3:                           Accept port redirections" -j ACCEPT
[154:18772] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[3870:276617] -A zone_wan_output -m comment --comment "!fw3: Custom wan output r                          ule chain" -j output_wan_rule
[3870:276617] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_AC                          CEPT
[154:18772] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reje                          ct
COMMIT
# Completed on Wed Apr 29 23:03:06 2020

There is a gap between the lines, please fix that.
Also have you replaced dnsmasq package with dnsmasq-full?

Am I need dnsmasq-full? I didn't know that. Ok I am replace it now also I can't see any gap between lines. where is it?

I need 20kb more space :s is there wdr4300 no luci rom?

From the wikipage I posted earlier.

Install the package package: kmod-ipt-ipset and replace package: dnsmasq with package: dnsmasq-full: opkg update && opkg install kmod-ipt-ipset && opkg install dnsmasq-full

image

https://openwrt.org/docs/guide-user/additional-software/start
Extroot, image builder, saving firmware space.

Oh I missed that sencence. Ok also spaces no more. Damn, I hoped it would fit internal space so I would not have occupy usb slot :slight_smile: Well not a biggie anyway. Alright I will post end result (again).

1 Like

Ok here it is. Still tor unreachable and pastebin now unreachable too :S

# Generated by iptables-save v1.8.3 on Sat May  2 11:04:09 2020
*nat
:PREROUTING ACCEPT [229:29605]
:INPUT ACCEPT [215:14152]
:OUTPUT ACCEPT [201:13947]
:POSTROUTING ACCEPT [17:1453]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[440:43320] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[405:35786] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[35:7534] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[346:22531] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:349] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[329:21078] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[231:15227] -A prerouting_lan_rule -d 192.168.1.1/32 -j ACCEPT
[1:349] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[405:35786] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[329:21078] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[329:21078] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[35:7534] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat May  2 11:04:09 2020
# Generated by iptables-save v1.8.3 on Sat May  2 11:04:09 2020
*mangle
:PREROUTING ACCEPT [27185:20535483]
:INPUT ACCEPT [5267:3789160]
:FORWARD ACCEPT [21838:16726880]
:OUTPUT ACCEPT [6228:5043684]
:POSTROUTING ACCEPT [28047:21769804]
[57:2964] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat May  2 11:04:09 2020
# Generated by iptables-save v1.8.3 on Sat May  2 11:04:09 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[96:8288] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[5173:3780952] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[4803:3754980] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[29:1508] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[343:23666] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[27:2306] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[21840:16728432] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[21696:16719685] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[144:8747] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[96:8288] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[6137:5036332] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[5824:5015606] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:349] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[312:20377] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[26:2274] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[29:1508] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:349] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[144:8747] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[144:8747] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[343:23666] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[343:23666] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1:349] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1:349] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[343:23666] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[19:760] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[437:28364] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[27:2306] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[1:32] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[26:2274] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[312:20377] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[312:20377] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[26:2274] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat May  2 11:04:09 2020

This is document so far I put together quickly. Check it please :slight_smile:

There is no redirect rule applied in lan prerouting to send packets to tor.

Ok. I forgot these command. Added to doc too.
uci commit firewall /etc/init.d/firewall restart
Pastebin cameback but tor still unreachable :S Can you look it in the odt file and tell me what is missing?

Please paste here whatever is needed to read for the troubleshooting.

Here iptables-save -c output. Still "iptables-save -c | grep -i tor" or " iptables-save -c | grep routetotor" give nothing by the way.


# Generated by iptables-save v1.8.3 on Sat May  2 17:12:23 2020
*nat
:PREROUTING ACCEPT [94:23383]
:INPUT ACCEPT [261:21676]
:OUTPUT ACCEPT [531:37249]
:POSTROUTING ACCEPT [5:621]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[352:44697] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[307:36864] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[45:7833] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[538:40396] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:349] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[533:39775] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[205:18698] -A prerouting_lan_rule -d 192.168.1.1/32 -j ACCEPT
[1:349] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[307:36864] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 9053
[74:3848] -A zone_lan_prerouting -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040
[533:39775] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[533:39775] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[45:7833] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat May  2 17:12:23 2020
# Generated by iptables-save v1.8.3 on Sat May  2 17:12:23 2020
*mangle
:PREROUTING ACCEPT [6443:5210957]
:INPUT ACCEPT [6301:5166388]
:FORWARD ACCEPT [61:24929]
:OUTPUT ACCEPT [5982:2105616]
:POSTROUTING ACCEPT [6043:2130545]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat May  2 17:12:23 2020
# Generated by iptables-save v1.8.3 on Sat May  2 17:12:23 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[16:1557] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[6287:5164911] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[5903:5133816] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[88:4576] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[378:30765] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[6:330] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[61:24929] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[27:4618] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[34:20311] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[16:1557] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[5970:2104891] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[5232:2053427] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:349] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[737:51115] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[3:234] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[88:4576] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:349] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[34:20311] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[34:20311] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[378:30765] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[74:3848] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[304:26917] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1:349] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1:349] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[304:26917] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[771:71426] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[6:330] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[3:96] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3:234] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[737:51115] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[737:51115] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[3:234] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat May  2 17:12:23 2020