firewall: Accept inbound Tor traffic before applying the location filter

Inbound Tor traffic conflicts with Location block as inbound connections
have to be accepted from many parts of the world. To solve this,
inbound Tor traffic has to be accepted before jumping into Location block
chain.

Note this affects Tor relay operators only.

Rolled forward as ongoing from
https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90@ipfire.org/,
note the documentation in the wiki needs to be updated once this landed
in production.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 49c6b7bf917cebc5d629a0dd3bd9f15dec542132..cc5baa29242a49037d1879f31d29f813eef5af8e 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -227,6 +227,10 @@ iptables_init() {
                iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
        fi
 
+       # Tor (inbound)
+       iptables -N TOR_INPUT
+       iptables -A INPUT -j TOR_INPUT
+
        # Location Block
        iptables -N LOCATIONBLOCK
        iptables -A INPUT -j LOCATIONBLOCK
@@ -260,9 +264,7 @@ iptables_init() {
        iptables -N OVPNINPUT
        iptables -A INPUT -j OVPNINPUT
 
-       # Tor (inbound and outbound)
-       iptables -N TOR_INPUT
-       iptables -A INPUT -j TOR_INPUT
+       # Tor (outbound)
        iptables -N TOR_OUTPUT
        iptables -A OUTPUT -j TOR_OUTPUT