Tor Router (not openwrt) - Not able to ssh via eth1 (iptables question)

simtcrom · November 24, 2024, 9:17am

I have a built a Tor router (not openwrt) with Raspberry Pi 5 and a USB to Ethernet adapter. Everything works fine.

My setup is,

Raspbian Latest OS.

/etc/tor/torrc

AutomapHostsOnResolve 1
AutomapHostsSuffixes .
VirtualAddrNetworkIPv4 172.16.0.0/12
DNSPort 0.0.0.0:9053
TransPort 0.0.0.0:9040

/etc/dnsmasq.conf

interface=eth1
dhcp-range=192.168.4.2,192.168.4.20,255.255.255.0,24h
domain=lan
address=/rt.lan/192.168.4.1

/etc/dhcpcd.conf

interface eth1
    static ip_address=192.168.4.1/24
    nohook wpa_supplicant

/etc/sysctl.d/router-ap.conf
net.ipv4.ip_forward=1

iptables

iptables -F
iptables -t nat -F
iptables -t nat -A PREROUTING -i eth1 -p tcp --syn -j REDIRECT --to-ports 9040
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 22 -j REDIRECT --to-ports 22
iptables -A FORWARD -i eth1 -j DROP
iptables-save > /etc/iptables/rules.v4

Pi's eth0 is connected to main router and it got 192.168.0.130 and eth1(192.168.4.1) is connected to my workstation PC where I want to use the Tor Router.

The problem I face is, from the workstation pc, I am not able to ssh to the router as 192.168.0.130 or 192.168.4.1
Both addresses are pingable from the workstation pc.
What firewall rule I should place on the pi to make the ssh work from workstation pc?

pavelgl · November 24, 2024, 10:48am

So OpenWrt isn't involved at all, right?
Did you enable SSH which is disabled by default?
If yes, run these commands to see if it makes a difference:

iptables -t nat -D PREROUTING -i eth1 -p tcp --dport 22 -j REDIRECT --to-ports 22
iptables -I INPUT -i eth1 -p tcp --dport 22 -j ACCEPT

brada4 · November 24, 2024, 10:48am

Please post output of

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
iptables -V
ip6tables -V
nft -V
fw3 check

simtcrom · November 24, 2024, 11:31am

Sorry I should have been clear, no openwrt involved here.
Yes, ssh work till the moment, I run below command,(Till I run that, internet wont come to workstation pc)

iptables -t nat -A PREROUTING -i eth1 -p tcp --syn -j REDIRECT --to-ports 9040

I get below error, when trying to add the first rule you gave,
iptables: Bad rule (does a matching rule exist in that chain?).
Added second rule, still no difference.

Note: I installed iptables by running below command,

sudo DEBIAN_FRONTEND=noninteractive apt install -y netfilter-persistent iptables-persistent

simtcrom · November 24, 2024, 11:33am

Sorry this is not openwrt, so some of those files don't exist,

pavelgl · November 24, 2024, 11:38am

Change the rule to:

iptables -t nat -A PREROUTING -i eth1 -p tcp ! --dport 22 --syn -j REDIRECT --to-ports 9040

simtcrom · November 24, 2024, 11:43am

Thank you. That solved my issue.
One more question,

Do I need to add below rule,

iptables -A FORWARD -i eth1 -j DROP

I was told above would prevent internet working outside Tor (from direct internet router I guess..)

brada4 · November 24, 2024, 11:45am

This forum deals only with official openwrt from openwrt.org and packages provided there. You have to ask raspbian support channels.

Openwrt TOR is set up this way:
https://openwrt.org/docs/guide-user/services/tor/client

You can install arm or x86 vm of old OpenWRT (21 or older) to determine iptables rules rendered from these visual rules. Programming ufw or firewalld do emit such rules is way out of scope from here.

system · December 4, 2024, 11:45am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.