Blocklist TOR ALL and TOR EXIT active only for an IP on the local network

As the picture shows, if I enable “TOR ALL” and “TOR EXIT” the effect will be on the whole IPFire system (red, green, blue, orange).
I would like to apply the block “TOR ALL” and “TOR EXIT” only for the local IP
From the GUI I don’t see that it can be done.
But I strongly suspect that it is possible using iptables rules:

Aware of the serious risks I might take, in order to learn I plan to do all the experiments on a mule IPFire server, which I will then destroy.
The big problem is that I don’t know where to start. I am waiting for suggestions and clues to try this curious experiment (assuming it can be done).
I thank you in advance.

If you execute the iptables-save command, it will output the entire IPTables configuration, which includes all the defined chains. The syntax used in this output closely resembles the syntax used to create new rules.

Upon examining the code for these IP-based blocklists, it appears that they’re all incorporated into the BLOCKLISTIN chain. This particular chain is applied to incoming traffic on the red0 interface.

To modify this configuration in the way you’re suggesting would likely necessitate a significant restructuring of the existing firewall setup.

1 Like

This is a summary of what I have been learning about IPTables which is really difficult to explain clearly to someone that has no idea of how all this works. With the help of chatGPT 4, I have improved my understanding considerably and here is a synthesis of the relevant part necessary for me to have a low resolution picture of how this works.

Hopefully it will help you understand a little better the topic and help you in finding answer to questions similar to the one of this thread.

Summary of my “conversation” with the AI

  1. Tables: IPTables consists of several tables, each with a specific role in handling network packets. The primary tables are filter, nat, mangle, and raw. Each table contains a set of chains that further categorize how packets are processed.

    • filter: This is the default table and is used for basic packet filtering. It includes the INPUT, FORWARD, and OUTPUT chains.

    • nat: This table is primarily used for network address translation (NAT), including port forwarding, masquerading, etc. It includes the PREROUTING, POSTROUTING, and OUTPUT chains.

    • mangle: This table is used for specialized packet alteration, including modification of TOS (Type of Service) and TTL (Time to Live) fields. It includes all five types of chains.

    • raw: This table provides a mechanism for marking packets to bypass connection tracking using the NOTRACK target. It includes the PREROUTING and OUTPUT chains.

  2. Chains: Chains are collections of rules in a table that define what to do with network packets at different points in the network stack. The five built-in chains in IPTables are PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING. These names reflect the stages in the network stack that the packets pass through. Each table can have its own instance of these chains, acting at the specified stage but for the specific purpose of that table.

  3. The Network Stack and IPTables: The network stack in an operating system is organized in several stages, like receiving a packet (PREROUTING), deciding if it’s for the local system (INPUT), forwarding it elsewhere (FORWARD), altering packets generated by the local system (OUTPUT), and finally, handling packets as they leave the system (POSTROUTING). The chains in IPTables reflect these stages, allowing precise control over how packets are handled at each stage.

  4. Learning More About IPTables: You can learn more about the rules currently in effect on your system by using the iptables-save command. This outputs a comprehensive list of all the current IPTables rules, which you can examine to understand how your system is managing network traffic. By comparing the output before and after changes (e.g., made via the IPFire Web User Interface), you can see exactly what effect those changes have had. This can be a useful tool for learning more about IPTables and the logic of network packet handling.

Remember that it’s important to have a good understanding of IPTables before making changes, as incorrect rules can cause network disruptions or security issues. Always be sure to test changes in a safe environment if you’re unsure.

EDIT: in the WUI at /FIREWALL/IPTABLES you see three of the 4 tables (Filter, Mangles and NAT). Raw is not shown. The drop down menu shows the corresponding chains of the table, and once selected it shows the rules and the matching packets.

1 Like

I thank you for your answer.
I knew my request could be done, but it’s more complex than I imagined for me having big problems with the terminal.
I just ran iptables-save and saw all the weird stuff that appeared.
To understand those lines well, I’m afraid it will take me years of study (or maybe a few if you study “professionally”).
A few “iptable rules” I think I can create, but not to the point of being able to do a good job about what I wrote in the opening of the topic.
Too complex for me (at least for now). I have too many gaps. In any case, I will resort to iptable for simpler things,
to this thread. Again, thank you. :smiling_face: