SatoriHoshiAiko
commented
2 years ago I am going to read some configurations that I have since changed, with regards to the above conditions in which lnd was run.
The issue I have is not resolved yet, and I am trying to locate it perhaps to the iptables routing not communication correctly with tor. My thought, in part, is that the tor Socks5 proxy does not correctly port forward when creating an iptables firewall, and I may have an invalid iptables firewall setting that is causing the issue in the first place, meaning it is not directly an issue with lnd (although the support is still very much appreciated!)
I have adjusted an iptables script as such:
!/bin/bash
By krabelize | cryptsus.com
Edit-Merge by SatoriHoshiAiko
Persistent IPv4 iptables firewall script
LOOPBACK="127.0.0.0/8" NIC_DATA="eth0" NIC_MGMT="eth0" SERVER_IP_DATA=$(hostname -I | awk '{print $1}') SERVER_IP_MGMT=$(hostname -I | awk '{print $1}') LOCAL_NETWORK="192.168.1.1/24" DNS1="1.1.1.1" DNS2="8.8.8.8"
Reset all IPv4 iptables rules
iptables -F iptables -X
Disallowing any IPv4 traffic as deny any any
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Allow loopback connections but block remote packets claming to be from the loopback interface
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -s $LOOPBACK ! -i lo -j DROP
Drop invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
Allow Established and Related Incoming Connections Afterward
iptables -A INPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
################
INPUT rules
################
Allow SSH Connections to this host - Useful if you use SSH to connect remotely, you can also set a specific IP for the location your are connecting from for added security, if your IP is static
iptables -A INPUT -i $NIC_MGMT -p tcp -s 185.220.21.10 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 185.220.21.20 --sport 22 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow incoming OpenVPN connections to this host
iptables -A INPUT -i $NIC_MGMT -p udp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p udp -s $SERVER_IP_MGMT -d 0/0 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
RealVNC Services
iptables -A INPUT -i $NIC_MGMT -p udp -s 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 3478 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p udp -s $SERVER_IP_MGMT -d 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 --sport 3478 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p udp -s 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 11000:20000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p udp -s $SERVER_IP_MGMT -d 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 --sport 11000:20000 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow incoming HTTP(S) sessions for serving BTCPay or Website at Local Host
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 80 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 443 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 443 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow serving web content on 127.0.0.1:8080 and Lnd REST configured to 127.0.0.1:8081 (please set lndrest to 8081 in lnd.conf with restlisten=127.0.0.1:8081 (localhost:8081) and make 8080 available for other general web serving. Additional ports 8082 and 8083 were added for serving web content if not over hidden service.
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 8080 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 8081 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 8081 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 8082 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 8082 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 8083 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 8083 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 8084 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 8084 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow incoming DNS resolving from the outside over tcp port 53 (lnd requires this for Tor)
iptables -A INPUT -i $NIC_MGMT -p tcp -s $DNS1 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 53 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d $DNS1 --sport 53 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s $DNS2 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 53 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d $DNS2 --sport 53 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow DNS resolving from the outside with udp also if desired
iptables -A INPUT -i $NIC_MGMT -p udp -s $DNS1 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 53 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p udp -s $SERVER_IP_MGMT -d $DNS1 --sport 53 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p udp -s $DNS2 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 53 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p udp -s $SERVER_IP_MGMT -d $DNS2 --sport 53 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow Bitcoin (8333, 4), Lnd/Lightning (9735), Bitcoin RPC (8332) and Lnd RPC (10009) to Communicate with this host
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 8333 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 8333 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 8334 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 8334 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 8332 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 8332 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9735 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9735 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 10009 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 10009 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow ZMQ to be reachable from the outside - Off by default since ZMQ is only required locally between bitcoind and lnd/lightningd
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9001 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9001 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9030 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9030 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow your lightning node(s) Hidden Services (.onion external ip) to be reachable from the outside - bitcoind proxies on 8333 by default unless set otherwise. lightningd can be configured to 1234, and lnd can be configured to 6969. A private hidden srvice entryway was created on 6060 for bitcoind as well for hidden service proxy of 8332.
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 1234 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 6969 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 6969 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 6060 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 6060 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Bypass loopback for bitcoind lnd or lightning issues with Tor and Hidden Service
iptables -A INPUT -p tcp -s 0/0 --dport 8333 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --dport 8334 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 8332 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 9050 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --dport 9051 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --dport 9052 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --dport 9735 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 6060 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 6969 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 10009 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 5683 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 7625 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
Allow Hidden Service Ports and make Hidden Service Such as Content or Socket Reachable from Outside (Please Configure your ports in /etc/tor/torrc to match your Additional Hidden Services)
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 5683 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 5683 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 7625 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 7625 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow Tor Control Port 9051 and 9050/9052 (default configuration is 9050 for both, please set socks port separate for each instance of bitcoind lnd and verify as SocksPort #### in /etc/tor/torrc) - bitcoind and lightningd/lnd use this for Tor Nodes
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9050 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9050 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9051 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9051 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9052 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9052 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Additional Tor ports can be added as above, for hidden services or proxies to connect from the outside such as 9050 and 9100 for proxy, 9001 to advertise a relay location, 9090 if advertising a location other than 9001, Directories on 9030, or 9091 if on another port
Off by default since Tor Relay not being used
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9001 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9001 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9030 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9030 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9090 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9090 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9091 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9091 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Make PostGreSQL (NBXplorer) Prometheus and RTL Accessible
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 5432 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 8989 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 8989 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 3000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 3000 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Make SMTP and IMAP/IMAPS and Pop3/Pop3s Ports Available
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 25 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 25 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 143 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 143 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 993 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 110 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 110 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 995 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -s $SERVER_IP_MGMT -d 0/0 --sport 995 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
#################
OUTPUT rules
#################
Allow outgoing SSH sessions
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 22 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow Bitcoin and Lnd P2P with Lightningd's Tor Port 1234 and customd lnd hidden service port 6969
**Configure torrc HiddenServicePort with 6969 127.0.0.1:9735 for lnd - 1234 127.0.0.1:9735 for lightningd - 8333 127.0.0.1:8333 under hidden services, to set an onion address for your node(s) as a hidden service. The some hidden service directory can be used for all 3 by setting different ports to each, and the same onion address will locate your nodes on different ports. Tor will port forward to the node(s) standard ports.
Bitcoin/Lightning/Lnd Ports
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 8333 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 8333 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 8334 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 8334 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9735 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9735 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
lightningd and lnd Hidden Service Ports (please configure to /etc/tor/torrc as "HiddenServicePort 1234 127.0.0.1 9735" and "HiddenServicePort 6969 127.0.0.1 9735")
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 1234 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 6969 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 6969 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 6060 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 6060 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Bitcoind and Lnd RPC connections
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 8332 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 8332 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 10009 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 10009 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Optional expose ZMQ to internet, off by default sinze ZMQ is only required locally between bitcoin and lightning
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 28333 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 28333 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 28332 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 28332 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Open-NAT for bitcoind lnd Tor NAT/proxy issues - Off by default, for troubleshooting only
iptables -A OUTPUT -p tcp -d 0/0 --dport 8333 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 0/0 --dport 8334 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 8332 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 9050 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 0/0 --dport 9051 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 0/0 --dport 9052 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 0/0 --dport 9735 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 6060 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 6969 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 10009 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 5683 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 7625 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
Allow Hidden-Services over Tor (Check /etc/tor/torrc and configure the configure or correct the default ports for your custom Hidden Services)
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 5683 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 5683 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 7625 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 7625 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow Tor Control Port/Proxy outbound traffic
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9050 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9050 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9051 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9051 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9052 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9052 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow Tor Relay and DataDir Outbound - Off by default unless using relay/datadir
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9001 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9001 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9030 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9030 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9090 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9090 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9091 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9091 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow outgoing DNS lookups (tcp is included here for lnd protocol) - Google (DNS2) Turned Off By Default - Google On for RealVNC over udp/tcp
iptables -A OUTPUT -o $NIC_DATA -p udp -s $SERVER_IP_DATA -d $DNS1 --sport 32768:65535 --dport 53 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p udp -s $DNS1 -d $SERVER_IP_DATA --sport 53 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p udp -s $SERVER_IP_DATA -d $DNS2 --sport 32768:65535 --dport 53 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p udp -s $DNS2 -d $SERVER_IP_DATA --sport 53 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d $DNS1 --sport 32768:65535 --dport 53 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s $DNS1 -d $SERVER_IP_DATA --sport 53 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d $DNS2 --sport 32768:65535 --dport 53 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s $DNS2 -d $SERVER_IP_DATA --sport 53 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Make PostgreSQL (NBXplorer) Prometheus and RTL Accessible
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 5432 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 8989 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 8989 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 3000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 3000 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow Mail Servers Outgoing
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 25 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 25 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 143 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 143 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 993 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 110 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 110 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 995 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 995 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow outgoing ICMP ping requests
iptables -A OUTPUT -o $NIC_DATA -p icmp --icmp-type 8 -s $SERVER_IP_DATA -d 0/0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p icmp --icmp-type 0 -d $SERVER_IP_DATA -s 0/0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow outgoing HTTP(S) sessions for apt-get update and wget and web sessions
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA --sport 32768:65535 -d 0/0 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s 0/0 -d $SERVER_IP_DATA --sport 80 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA --sport 32768:65535 -d 0/0 --dport 443 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s 0/0 -d $SERVER_IP_DATA --sport 443 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Use localhost for serving web content on 127.0.0.1:8080 and Lnd REST on 127.0.0.1:8081
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA --sport 32768:65535 -d 0/0 --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s 0/0 -d $SERVER_IP_DATA --sport 8080 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA --sport 32768:65535 -d 0/0 --dport 8081 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s 0/0 -d $SERVER_IP_DATA --sport 8081 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA --sport 32768:65535 -d 0/0 --dport 8082 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s 0/0 -d $SERVER_IP_DATA --sport 8082 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA --sport 32768:65535 -d 0/0 --dport 8083 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s 0/0 -d $SERVER_IP_DATA --sport 8083 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA --sport 32768:65535 -d 0/0 --dport 8084 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s 0/0 -d $SERVER_IP_DATA --sport 8084 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow Feedback from RealVNC
iptables -A OUTPUT -o $NIC_DATA -p udp -s $SERVER_IP_DATA --sport 32768:65535 -d 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 --dport 3478 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p udp -s 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 -d $SERVER_IP_DATA --sport 3478 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p udp -s $SERVER_IP_DATA --sport 32768:65535 -d 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 --dport 11000:20000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p udp -s 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 -d $SERVER_IP_DATA --sport 11000:20000 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow DHCP handshakes for dynamic network settings
iptables -A OUTPUT -o $NIC_DATA -p udp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 68 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p udp -d $SERVER_IP_DATA -s 0/0 --sport 68 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow outgoing NTP for time sync
iptables -A OUTPUT -o $NIC_DATA -p udp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 123 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -i $NIC_DATA -p udp -d $SERVER_IP_DATA -s 0/0 --sport 123 --dport 32768:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Make sure nothing else goes IN or OUT from this host
iptables -A INPUT -j DROP iptables -A OUTPUT -j DROP
Save IPv4 iptables config
iptables4.rules should be executed on boot by modifying /etc/network/if-pre-up.d/iptables
sudo sh -c "iptables-save > /sbin/scripts/iptables4.rules" sudo sh -c "netfilter-persistent save"
Assuming there are no compatibility issue with the above firewall configuration and the tor socks proxy. I will also attach the flags for torsocks.conf which I otherwise have allowed to the loopback and inbound connections:
This is the configuration for libtorsocks (transparent socks) for use
with tor, which is providing a socks server on port 9050 by default.
#
Lines beginning with # and blank lines are ignored
Much more documentation than provided in these comments can be found in
#
torsocks.conf(5), torsocks(1) and torsocks(8) manpages.
Default Tor address and port. By default, Tor will listen on localhost for
any SOCKS connection and relay the traffic on the Tor network.
TorAddress 127.0.0.1 TorPort 9050 TorPort 9052
Tor hidden sites do not have real IP addresses. This specifies what range of
IP addresses will be handed to the application as "cookies" for .onion names.
Of course, you should pick a block of addresses which you aren't going to
ever need to actually connect to. This is similar to the MapAddress feature
of the main tor daemon.
OnionAddrRange 127.42.42.0/24
SOCKS5 Username and Password. This is used to isolate the torsocks connection
circuit from other streams in Tor. Use with option IsolateSOCKSAuth (on by
default) in tor(1). TORSOCKS_USERNAME and TORSOCKS_PASSWORD environment
variable overrides these options.
SOCKS5Username
SOCKS5Password
Set Torsocks to accept inbound connections. If set to 1, listen() and
accept() will be allowed to be used with non localhost address. (Default: 0)
AllowInbound 1
Set Torsocks to allow outbound connections to the loopback interface.
If set to 1, connect() will be allowed to be used to the loopback interface
bypassing Tor. If set to 2, in addition to TCP connect(), UDP operations to
the loopback interface will also be allowed, bypassing Tor. This option
should not be used by most users. (Default: 0)
AllowOutboundLocalhost 1
Set Torsocks to use an automatically generated SOCKS5 username/password based
on the process ID and current time, that makes the connections to Tor use a
different circuit from other existing streams in Tor on a per-process basis.
If set, the SOCKS5Username and SOCKS5Password options must not be set.
(Default: 0)
IsolatePID 1
for same measure here is the bitcoin.conf with redacted portions:
server=1
daemon=1
rpcauth=[admin:pass]
rpcallowip=[public ip]/32
rpcbind=127.0.0.1
rpcport=8332
torcontrol=127.0.0.1:9051
torpassword=[redacted]
onion=127.0.0.1:9050
listen=1
listenonion=1
bind=127.0.0.1:8333
bind=127.0.0.1:8334
zmqpubrawblock=tcp://127.0.0.1:28332
zmqpubrawtx=tcp://127.0.0.1:28333
whitelist=127.0.0.1
externalip=[redacted].onion:8333
onlynet=onion
proxy=127.0.0.1:9050
proxyrandomize=1
debug=tor
seednode=2g5qfdkn2vvcbqhzcyvyiitg4ceukybxklraxjnu7atlhd22gdwywaid.onion:8333
seednode=2jmtxvyup3ijr7u6uvu7ijtnojx4g5wodvaedivbv74w4vzntxbrhvad.onion:8333
seednode=37m62wn7dz3uqpathpc4qfmgrbupachj52nt3jbtbjugpbu54kbud7yd.onion:8333
seednode=5g72ppm3krkorsfopcm2bi7wlv4ohhs4u4mlseymasn7g7zhdcyjpfid.onion:8333
seednode=7cgwjuwi5ehvcay4tazy7ya6463bndjk6xzrttw5t3xbpq4p22q6fyid.onion:8333
seednode=7pyrpvqdhmayxggpcyqn5l3m5vqkw3qubnmgwlpya2mdo6x7pih7r7id.onion:8333
seednode=b64xcbleqmwgq2u46bh4hegnlrzzvxntyzbmucn3zt7cssm7y4ubv3id.onion:8333
seednode=ejxefzf5fpst4mg2rib7grksvscl7p6fvjp6agzgfc2yglxnjtxc3aid.onion:8333
seednode=fjdyxicpm4o42xmedlwl3uvk5gmqdfs5j37wir52327vncjzvtpfv7yd.onion:8333
seednode=fpz6r5ppsakkwypjcglz6gcnwt7ytfhxskkfhzu62tnylcknh3eq6pad.onion:8333
seednode=fzhn4uoxfbfss7h7d6ffbn266ca432ekbbzvqtsdd55ylgxn4jucm5qd.onion:8333
seednode=gxo5anvfnffnftfy5frkgvplq3rpga2ie3tcblo2vl754fvnhgorn5yd.onion:8333
seednode=ifdu5qvbofrt4ekui2iyb3kbcyzcsglazhx2hn4wfskkrx2v24qxriid.onion:8333
seednode=itz3oxsihs62muvknc237xabl5f6w6rfznfhbpayrslv2j2ubels47yd.onion:8333
seednode=lrjh6fywjqttmlifuemq3puhvmshxzzyhoqx7uoufali57eypuenzzid.onion:8333
seednode=m7cbpjolo662uel7rpaid46as2otcj44vvwg3gccodnvaeuwbm3anbyd.onion:8333
seednode=opnyfyeiibe5qo5a3wbxzbb4xdiagc32bbce46owmertdknta5mi7uyd.onion:8333
seednode=owjsdxmzla6d7lrwkbmetywqym5cyswpihciesfl5qdv2vrmwsgy4uqd.onion:8333
seednode=q7kgmd7n7h27ds4fg7wocgniuqb3oe2zxp4nfe4skd5da6wyipibqzqd.onion:8333
seednode=rp7k2go3s5lyj3fnj6zn62ktarlrsft2ohlsxkyd7v3e3idqyptvread.onion:8333
seednode=sys54sv4xv3hn3sdiv3oadmzqpgyhd4u4xphv4xqk64ckvaxzm57a7yd.onion:8333
seednode=tddeij4qigtjr6jfnrmq6btnirmq5msgwcsdpcdjr7atftm7cxlqztid.onion:8333
seednode=vi5bnbxkleeqi6hfccjochnn65lcxlfqs4uwgmhudph554zibiusqnad.onion:8333
seednode=xqt25cobm5zqucac3634zfght72he6u3eagfyej5ellbhcdgos7t2had.onion:8333
dnsseed=0
dns=0
maxconnections=48
maxuploadtarget=8192
prune=2048
keypool=20480
assumevalid=1
torrc:
Configuration file for a typical Tor user
Last updated 9 October 2013 for Tor 0.2.5.2-alpha.
(may or may not work for much older or much newer versions of Tor.)
Lines that begin with "## " try to explain what's going on. Lines
that begin with just "#" are disabled commands: you can enable them
by removing the "#" symbol.
See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
for more options you can use in this file.
Tor will look for this file in various places based on your platform:
https://www.torproject.org/docs/faq#torrc
Tor opens a socks proxy on port 9050 by default -- even if you don't
configure one below. Set "SocksPort 0" if you plan to run Tor only
as a relay, and not make any local application connections yourself.
SocksPort 9050 # Default: Bind to localhost:9050 for local connections. SocksPort 9052 #SocksPort 192.168.0.1:9100 # Bind to this address:port too.
Entry policies to allow/deny SOCKS requests based on IP address.
First entry that matches wins. If no SocksPolicy is set, we accept
all (and only) requests that reach a SocksPort. Untrusted users who
can access your SocksPort may be able to learn about the connections
you make.
SocksPolicy accept 192.168.0.0/16
SocksPolicy reject *
Logs go to stdout at level "notice" unless redirected by something
else, like one of the below lines. You can have as many Log lines as
you want.
We advise using "notice" in most cases, since anything more verbose
may provide sensitive information to an attacker who obtains the logs.
Send all messages of level 'notice' or higher to /var/log/tor/notices.log
Log notice file /var/log/tor/notices.log
Send every possible message to /var/log/tor/debug.log
Log debug file /var/log/tor/debug.log
Use the system log instead of Tor's logfiles
Log notice syslog
To send all messages to stderr:
Log debug stderr
Uncomment this to start the process in the background... or use
--runasdaemon 1 on the command line. This is ignored on Windows;
see the FAQ entry if you want Tor to run as an NT service.
RunAsDaemon 1
The directory for keeping all the keys/etc. By default, we store
things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
DataDirectory /var/lib/tor DataDirectoryGroupReadable 1
The port on which Tor will listen for local connections from Tor
controller applications, as documented in control-spec.txt.
ControlPort 9051
If you enable the controlport, be sure to enable one of these
authentication methods, to prevent attackers from accessing it.
HashedControlPassword 16:F797F95B93FE5AB660C0A5D7FEEC4CFE3CDB140478F58BCE5D7767D1E9
CookieAuthFile /run/tor/control.authcookie
CookieAuthentication 1
CookieAuthFileGroupReadable 1
############### This section is just for location-hidden services ###
Once you have configured a hidden service, you can look at the
contents of the file ".../hidden_service/hostname" for the address
to tell people.
HiddenServicePort x y:z says to redirect requests on port x to the
address y:z.
HiddenServiceDir /home/[admin]/tor/bitcoin-service/ HiddenServicePort 8333 127.0.0.1:8333 HiddenServicePort 8333 127.0.0.1:8334 HiddenServicePort 8333 127.0.0.1:9735
HiddenServiceDir /home/[admin]/tor/bitcoin-rpc/ HiddenServicePort 6060 127.0.0.1:8332
HiddenServiceDir /home/[admin]/tor/lnd-service/
HiddenServicePort moved to bitcoin-service to create matching externalip for bitcoind/lnd
HiddenServiceDir /home/[admin]/tor/lnd-rpc/ HiddenServicePort 6969 127.0.0.1:10009
HiddenServiceDir /home/[admin]/tor/lnd-prometheus/ HiddenServicePort 8989 127.0.0.1:8989
HiddenServiceDir /home/[admin]/tor/hidden-service-1/ HiddenServicePort 9333 127.0.0.1:8084
HiddenServiceDir /home/[admin]/tor/hidden-service-2/ HiddenServicePort 7625 127.0.0.1:8082
HiddenServiceDir /home/[admin]/tor/hidden-service-3/ HiddenServicePort 5683 127.0.0.1:8083
HiddenServiceDir /home/[admin]/tor/lnd-rest/ HiddenServicePort 1234 127.0.0.1:8081
################ This section is just for relays ##################### #
See https://www.torproject.org/docs/tor-doc-relay for details.
Required: what port to advertise for incoming Tor connections.
ORPort 9001
If you want to listen on a port other than the one advertised in
ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
follows. You'll need to do ipchains or other port forwarding
yourself to make this work.
ORPort 443 NoListen
ORPort 127.0.0.1:9090 NoAdvertise
The IP address or full DNS name for incoming connections to your
relay. Leave commented out and Tor will guess.
Address noname.example.com
If you have multiple network interfaces, you can specify one for
outgoing traffic to use.
OutboundBindAddress 10.0.0.5
A handle for your relay, so people don't have to refer to it by key.
Nickname ididnteditheconfig
Define these to limit how much relayed traffic you will allow. Your
own traffic is still unthrottled. Note that RelayBandwidthRate must
be at least 20 KB.
Note that units for these config options are bytes per second, not bits
per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
RelayBandwidthRate 100 KB # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
Use these to restrict the maximum traffic per day, week, or month.
Note that this threshold applies separately to sent and received bytes,
not to their sum: setting "4 GB" may allow up to 8 GB total before
hibernating.
Set a maximum of 4 gigabytes each way per period.
AccountingMax 4 GB
Each period starts daily at midnight (AccountingMax is per day)
AccountingStart day 00:00
Each period starts on the 3rd of the month at 15:00 (AccountingMax
is per month)
AccountingStart month 3 15:00
Administrative contact information for this relay or bridge. This line
can be used to contact you if your relay or bridge is misconfigured or
something else goes wrong. Note that we archive and publish all
descriptors containing these lines and that Google indexes them, so
spammers might also collect them. You may want to obscure the fact that
it's an email address and/or generate a new address for this purpose.
ContactInfo Random Person
You might also include your PGP or GPG fingerprint if you have one:
ContactInfo 0xFFFFFFFF Random Person
Uncomment this to mirror directory information for others. Please do
if you have enough bandwidth.
DirPort 9030 # what port to advertise for directory connections
If you want to listen on a port other than the one advertised in
DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
follows. below too. You'll need to do ipchains or other port
forwarding yourself to make this work.
DirPort 80 NoListen
DirPort 127.0.0.1:9091 NoAdvertise
Uncomment to return an arbitrary blob of html on your DirPort. Now you
can explain what Tor is if anybody wonders why your IP address is
contacting them. See contrib/tor-exit-notice.html in Tor's source
distribution for a sample.
DirPortFrontPage /etc/tor/tor-exit-notice.html
Uncomment this if you run more than one Tor relay, and add the identity
key fingerprint of each Tor relay you control, even if they're on
different networks. You declare it here so Tor clients can avoid
using more than one of your relays in a single circuit. See
https://www.torproject.org/docs/faq#MultipleRelays
However, you should never include a bridge's fingerprint here, as it would
break its concealability and potentionally reveal its IP/TCP address.
MyFamily $keyid,$keyid,...
A comma-separated list of exit policies. They're considered first
to last, and the first match wins. If you want to replace
the default exit policy, end this with either a reject : or an
accept :. Otherwise, you're augmenting (prepending to) the
default exit policy. Leave commented to just use the default, which is
described in the man page or at
https://www.torproject.org/documentation.html
Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
for issues you might encounter if you use the default exit policy.
If certain IPs and ports are blocked externally, e.g. by your firewall,
you should update your exit policy to reflect this -- otherwise Tor
users will be told that those destinations are down.
For security, by default Tor rejects connections to private (local)
networks, including to your public IP address. See the man page entry
for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
ExitPolicy accept :6660-6667,reject :* # allow irc ports but no more
ExitPolicy accept *:119 # accept nntp as well as default exit policy
ExitPolicy reject : # no exits allowed
Bridge relays (or "bridges") are Tor relays that aren't listed in the
main directory. Since there is no complete public list of them, even an
ISP that filters connections to all the known Tor relays probably
won't be able to block all the bridges. Also, websites won't treat you
differently because they won't know you're running Tor. If you can
be a real relay, please do; but if not, be a bridge!
BridgeRelay 1
By default, Tor will advertise your bridge to users through various
mechanisms like https://bridges.torproject.org/. If you want to run
a private bridge, for example because you'll give out your bridge
address manually to your friends, uncomment this line:
PublishServerDescriptor 0
And lnd.conf (I made several other configurations and none seem to be causing any additional issues changes to this issue:
alias=StarNet color=#0000CC tor.active=true tor.v3=true tor.streamisolation=true tor.socks=9052 tor.control=127.0.0.1:9051 tor.password=[redacted] tor.dns=soa.nodes.lightning.directory:53 externalip=[redacted].onion restlisten=127.0.0.1:8081 rpclisten=127.0.0.1:10009 listen=127.0.0.1 autopilot.active=true autopilot.maxchannels=5 autopilot.maxchansize=20000 autopilot.private=true protocol.wumbo-channels=true protocol.no-anchors=true protocol.no-script-enforced-lease=true maxlogfiles=1 maxlogfilesize=10 maxpendingchannels=1 maxchansize=100000000 chan-enable-timeout=1440m chan-disable-timeout=2880m invoices.holdexpirydelta=0 rejectpush=true dry-run-migration=true accept-keysend=true accept-amp=true gc-canceled-invoices-on-startup=false prometheus.enable=true prometheus.listen=127.0.0.1:8989 blockcachesize=2147483648 bitcoin.active=true bitcoin.mainnet=true bitcoin.node=bitcoind bitcoin.basefee=1000000 bitcoin.feerate=1000 bitcoind.dir=~/.bitcoin bitcoind.rpchost=127.0.0.1 bitcoind.rpcuser=[redacted admin] bitcoind.rpcpass=[redacted pass] bitcoind.zmqpubrawblock=tcp://127.0.0.1:28332 bitcoind.zmqpubrawtx=tcp://127.0.0.1:28333 db.postgres.dsn=postgres://nbxplorer:[redacted]@127.0.0.1:5432/nbxplorer
Some notables changes above are -
- I reinstalled tor, in case I had any underlying or unnoticed issues with setup and configuration. i.e. config files with a bad line entered, etc. To restore defaults.
- Notable issue on tor is that frequently there are issues with directory permissions in particular requiring a different user running tor "debian-tor" in my case. Even with the command "usermod -a -G debian-tor [admin]" and a reboot, it seems adding the admin user to the debian-tor group was not in itself enough to pass directory permissions. This seems to not translate the flag "DataDirectoryGroupReadable" in the torrc.
- I managed to continue to run tor as debian-tor using "sudo -u debian-tor tor" and refrained from chowning and chmod 700 and chmod g=+s where before I actually gave ownership permissions to the admin user to run tor as the same user as bitcoin and lnd. In that configuration I would add the admin account to the debian-tor so that instead debian-tor has group permissions.
- The above steps fall in line with the default configuration for tor, so that in any instance, if bitcoind or lnd were to call on the user debian-tor to run tor, they should have no interference with a default configuration.
- It is also advised not to run tor as the admin account user anyway, for security reasons
- Using the v3_onion_private_key should bypass any of the above issues, so long as the socks port is listening on 9050 (or in my case 9052, to prevent any cross traffic issues with bitcoind, so I set a separate port for lnd).
Some things I will try because this can largely be an issue with tor or the iptables rules.
- Running the proxy on the same port as bitcoind at 9050, to inadvertently allow the same communication and not block anything between lnd and bitcoind
- Removing the iptables chain to allow all traffic in and out, to validate that the iptables rules are causing the issue
Also notable -
bitcoind seems to connect to peers, and getnetworkinfo lists: { "version": 239900, "subversion": "/Satoshi:23.99.0/", "protocolversion": 70016, "localservices": "0000000000000408", "localservicesnames": [ "WITNESS", "NETWORK_LIMITED" ], "localrelay": true, "timeoffset": -4, "networkactive": true, "connections": 13, "connections_in": 3, "connections_out": 10, "networks": [ { "name": "ipv4", "limited": true, "reachable": false, "proxy": "127.0.0.1:9050", "proxy_randomize_credentials": true }, { "name": "ipv6", "limited": true, "reachable": false, "proxy": "127.0.0.1:9050", "proxy_randomize_credentials": true }, { "name": "onion", "limited": false, "reachable": true, "proxy": "127.0.0.1:9050", "proxy_randomize_credentials": true }, { "name": "i2p", "limited": true, "reachable": false, "proxy": "", "proxy_randomize_credentials": false }, { "name": "cjdns", "limited": true, "reachable": false, "proxy": "127.0.0.1:9050", "proxy_randomize_credentials": true } ], "relayfee": 0.00001000, "incrementalfee": 0.00001000, "localaddresses": [ { "address": "[redacted].onion", "port": 8333, "score": 4 }, { "address": "[redacted].onion", "port": 8333, "score": 4 } ], "warnings": "This is a pre-release test build - use at your own risk - do not use for mining or merchant applications" }
The above indicates that the nodes is reachable: true over .onion and the score of 4 on each ip is showing a full score.
I had to ensure the listen=1 and listenonion=1 flags were on, and let bitcoind create a second listening .onion address. I think this is similar in fashion with lnd that inbound connections are not turned on by default when proxying over tor, unless listen is specified.
With the above, it would be assumed that the node is reachable from the outside and can receive inbound connections, although I have not yet received an inbound connection, and I do receive several intermittent failed attempt to connect with bitcoind.
The bitcoind debug.log prints the following (I have pulled a section of it after some time running):
2022-06-12T06:08:37Z UpdateTip: new best=0000000000000000000323060e3ed0485a52b415abca425fa66b9d28acadc6b8 height=740448 version=0x20000004 log2_work=93.572060 tx=740785084 date='2022-06-12T06:07:59Z' progress=1.000000 cache=40.9MiB(309486txo) 2022-06-12T06:10:20Z New outbound peer connected: version: 70016, blocks=740448, peer=455 (outbound-full-relay) 2022-06-12T06:10:49Z New outbound peer connected: version: 70016, blocks=740448, peer=456 (outbound-full-relay) 2022-06-12T06:11:04Z Socks5() connect to m7rx5kvhxfbuapz35nuamgdxnqzokv2gjwuii6ayjyry4czmtf7t23yd.onion:8333 failed: host unreachable 2022-06-12T06:11:19Z New outbound peer connected: version: 70016, blocks=740448, peer=457 (outbound-full-relay) 2022-06-12T06:21:41Z New outbound peer connected: version: 70016, blocks=740448, peer=465 (block-relay-only) 2022-06-12T06:22:24Z Socks5() connect to uqiden2xczwnscglah47t22wjdasosxvopp4mls6wiycl5vprngeeiqd.onion:8333 failed: host unreachable 2022-06-12T06:23:05Z New outbound peer connected: version: 70016, blocks=740448, peer=466 (block-relay-only) 2022-06-12T06:23:55Z Socks5() connect to doejkrxw7gxvru7xt2kbfyzkb2kvoswmnee65ehrqmqtpgy56upyl7yd.onion:8333 failed: host unreachable 2022-06-12T06:24:26Z Socks5() connect to jltlwtvnpsa7glqalnncnxogr6prktlodqrmzxpz4ylzpg5gjebxriad.onion:8333 failed: host unreachable 2022-06-12T06:28:07Z Socks5() connect to xz32azmnwpv4nvte5qbva2zwrmululbwzqh4rfuu4qwph26mhyqscvyd.onion:8333 failed: host unreachable 2022-06-12T06:28:56Z UpdateTip: new best=00000000000000000001c12d183879061599eb720128b26f0d5fbc6e0711c2ad height=740449 version=0x20016000 log2_work=93.572073 tx=740786633 date='2022-06-12T06:28:36Z' progress=1.000000 cache=41.7MiB(316203txo) 2022-06-12T06:34:45Z Socks5() connect to a7pdl74jx3xgzpfwpxf525jit5lj5jgirira3b64fsyrgjpwywtjmfqd.onion:8333 failed: host unreachable 2022-06-12T06:36:37Z New outbound peer connected: version: 70016, blocks=740449, peer=476 (outbound-full-relay)
And with bitcoin-cli getpeerinfo:
[ { "id": 0, "addr": "127.0.0.1:40520", "addrbind": "127.0.0.1:8334", "network": "onion", "services": "0000000000000000", "servicesnames": [ ], "lastsend": 1655023241, "lastrecv": 1655023242, "last_transaction": 0, "last_block": 0, "bytessent": 19640, "bytesrecv": 15432, "conntime": 1654977863, "timeoffset": 0, "pingtime": 0.795247, "minping": 0.461306, "version": 70016, "subver": "", "inbound": true, "bip152_hb_to": false, "bip152_hb_from": false, "startingheight": 0, "synced_headers": -1, "synced_blocks": -1, "inflight": [ ], "relaytxes": false, "minfeefilter": 0.00000000, "addr_relay_enabled": false, "addr_processed": 0, "addr_rate_limited": 0, "permissions": [ "noban", "relay", "mempool", "download" ], "bytessent_per_msg": { "feefilter": 32, "inv": 4087, "ping": 12128, "pong": 3104, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "verack": 24, "version": 127, "wtxidrelay": 24 }, "bytesrecv_per_msg": { "ping": 3104, "pong": 12128, "sendaddrv2": 24, "verack": 24, "version": 152 }, "connection_type": "inbound" }, { "id": 1, "addr": "x7z4axhkzyehhbvlxew74mygsopithpl4j3rw23oa5gfcvdluyyawead.onion:8333", "addrbind": "127.0.0.1:46964", "network": "onion", "services": "0000000000000409", "servicesnames": [ "NETWORK", "WITNESS", "NETWORK_LIMITED" ], "lastsend": 1655023255, "lastrecv": 1655023255, "last_transaction": 0, "last_block": 0, "bytessent": 35117, "bytesrecv": 32176, "conntime": 1654977874, "timeoffset": -1, "pingtime": 1.306183, "minping": 0.7967070000000001, "version": 70016, "subver": "/Satoshi:23.0.0/", "inbound": false, "bip152_hb_to": false, "bip152_hb_from": false, "startingheight": 740392, "synced_headers": 740459, "synced_blocks": 740459, "inflight": [ ], "relaytxes": false, "minfeefilter": 0.00000000, "addr_relay_enabled": false, "addr_processed": 0, "addr_rate_limited": 0, "permissions": [ ], "bytessent_per_msg": { "getheaders": 4212, "headers": 6360, "ping": 12128, "pong": 12128, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "verack": 24, "version": 127, "wtxidrelay": 24 }, "bytesrecv_per_msg": { "feefilter": 32, "getheaders": 1053, "headers": 6547, "ping": 12128, "pong": 12128, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "verack": 24, "version": 126, "wtxidrelay": 24 }, "connection_type": "block-relay-only" }, { "id": 2, "addr": "75ndg7fpigom6w6vsba7yan5wx2ivpehcmnj2lbuv2cqrtrgrswmhxid.onion:8333", "addrbind": "127.0.0.1:46968", "network": "onion", "services": "000000000000040d", "servicesnames": [ "NETWORK", "BLOOM", "WITNESS", "NETWORK_LIMITED" ], "lastsend": 1655023284, "lastrecv": 1655023284, "last_transaction": 0, "last_block": 1655022714, "bytessent": 32212, "bytesrecv": 182708, "conntime": 1654977899, "timeoffset": -5, "pingtime": 1.19834, "minping": 0.621729, "version": 70016, "subver": "/Satoshi:22.0.0/", "inbound": false, "bip152_hb_to": true, "bip152_hb_from": false, "startingheight": 740392, "synced_headers": 740459, "synced_blocks": 740459, "inflight": [ ], "relaytxes": false, "minfeefilter": 0.00000000, "addr_relay_enabled": false, "addr_processed": 0, "addr_rate_limited": 0, "permissions": [ ], "bytessent_per_msg": { "getdata": 122, "getheaders": 2106, "headers": 5406, "ping": 12128, "pong": 12128, "sendaddrv2": 24, "sendcmpct": 99, "sendheaders": 24, "verack": 24, "version": 127, "wtxidrelay": 24 }, "bytesrecv_per_msg": { "addrv2": 22648, "cmpctblock": 128601, "feefilter": 32, "getheaders": 1053, "headers": 5830, "ping": 12128, "pong": 12128, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "verack": 24, "version": 126, "wtxidrelay": 24 }, "connection_type": "block-relay-only" }, { "id": 9, "addr": "5lzvzmk566jo5pgeobmqofuq65jej5ghnf3ogjudgpgancdznc2vxjqd.onion:8333", "addrbind": "127.0.0.1:46990", "network": "onion", "services": "0000000000000409", "servicesnames": [ "NETWORK", "WITNESS", "NETWORK_LIMITED" ], "lastsend": 1655023343, "lastrecv": 1655023344, "last_transaction": 1655023342, "last_block": 0, "bytessent": 2087490, "bytesrecv": 10585388, "conntime": 1654978024, "timeoffset": -2, "pingtime": 1.838437, "minping": 0.941371, "version": 70016, "subver": "/Satoshi:23.0.0/", "inbound": false, "bip152_hb_to": false, "bip152_hb_from": false, "startingheight": 740392, "synced_headers": 740459, "synced_blocks": 740459, "inflight": [ ], "relaytxes": true, "minfeefilter": 0.00001000, "addr_relay_enabled": true, "addr_processed": 1520, "addr_rate_limited": 0, "permissions": [ ], "bytessent_per_msg": { "addrv2": 32348, "feefilter": 32, "getaddr": 24, "getdata": 450418, "getheaders": 1053, "headers": 6890, "inv": 1411678, "ping": 12096, "pong": 12096, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 160566, "verack": 24, "version": 127, "wtxidrelay": 24 }, "bytesrecv_per_msg": { "addrv2": 65846, "feefilter": 32, "getdata": 20216, "getheaders": 1053, "headers": 6678, "inv": 5458911, "notfound": 219, "ping": 12096, "pong": 12096, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 5007953, "verack": 24, "version": 126, "wtxidrelay": 24 }, "connection_type": "outbound-full-relay" }, { "id": 26, "addr": "cdimine7u764mmcx3rh2wggcv2jb7czn6ll4wqugz6usad4d6qzl2xad.onion:8333", "addrbind": "127.0.0.1:47044", "network": "onion", "services": "000000000000040d", "servicesnames": [ "NETWORK", "BLOOM", "WITNESS", "NETWORK_LIMITED" ], "lastsend": 1655023342, "lastrecv": 1655023342, "last_transaction": 1655023307, "last_block": 0, "bytessent": 3110021, "bytesrecv": 2939524, "conntime": 1654978314, "timeoffset": -5, "pingtime": 1.009675, "minping": 0.618121, "version": 70016, "subver": "/Satoshi:0.21.0/", "inbound": false, "bip152_hb_to": false, "bip152_hb_from": false, "startingheight": 740392, "synced_headers": 740459, "synced_blocks": 740459, "inflight": [ ], "relaytxes": true, "minfeefilter": 0.00001000, "addr_relay_enabled": true, "addr_processed": 1506, "addr_rate_limited": 0, "permissions": [ ], "bytessent_per_msg": { "addrv2": 33166, "feefilter": 32, "getaddr": 24, "getdata": 97031, "getheaders": 3159, "headers": 6148, "inv": 2886801, "ping": 12032, "pong": 12032, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 59307, "verack": 24, "version": 127, "wtxidrelay": 24 }, "bytesrecv_per_msg": { "addrv2": 64616, "feefilter": 32, "getdata": 1120, "getheaders": 1053, "headers": 5618, "inv": 1599648, "notfound": 61, "ping": 12032, "pong": 12032, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 1243024, "verack": 24, "version": 126, "wtxidrelay": 24 }, "connection_type": "outbound-full-relay" }, { "id": 36, "addr": "kgcm56fkeqfl4wf2aoqrzqteon5pbf56gc7hhdmj73rdatgk6x65heyd.onion:8333", "addrbind": "127.0.0.1:47062", "network": "onion", "services": "0000000000000409", "servicesnames": [ "NETWORK", "WITNESS", "NETWORK_LIMITED" ], "lastsend": 1655023341, "lastrecv": 1655023344, "last_transaction": 1655023341, "last_block": 0, "bytessent": 2794440, "bytesrecv": 15045068, "conntime": 1654979399, "timeoffset": 0, "pingtime": 0.809179, "minping": 0.495077, "version": 70016, "subver": "/Satoshi:23.0.0/", "inbound": false, "bip152_hb_to": false, "bip152_hb_from": false, "startingheight": 740394, "synced_headers": 740459, "synced_blocks": 740459, "inflight": [ ], "relaytxes": true, "minfeefilter": 0.00001000, "addr_relay_enabled": true, "addr_processed": 1564, "addr_rate_limited": 0, "permissions": [ ], "bytessent_per_msg": { "addrv2": 34858, "cmpctblock": 20084, "feefilter": 32, "getaddr": 24, "getdata": 834185, "getheaders": 4212, "headers": 6360, "inv": 964767, "ping": 11744, "pong": 11744, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 906141, "verack": 24, "version": 127, "wtxidrelay": 24 }, "bytesrecv_per_msg": { "addrv2": 68033, "feefilter": 32, "getdata": 86037, "getheaders": 1053, "headers": 6466, "inv": 5015053, "ping": 11744, "pong": 11744, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 9844618, "verack": 24, "version": 126, "wtxidrelay": 24 }, "connection_type": "outbound-full-relay" }, { "id": 353, "addr": "grl6ewbqjop7d3nsxas5vd5nysivujigid2ziiwe6s5gk2euvdomxiyd.onion:8333", "addrbind": "127.0.0.1:47652", "network": "onion", "services": "0000000000000409", "servicesnames": [ "NETWORK", "WITNESS", "NETWORK_LIMITED" ], "lastsend": 1655023344, "lastrecv": 1655023344, "last_transaction": 1655023340, "last_block": 0, "bytessent": 822048, "bytesrecv": 4377930, "conntime": 1655007277, "timeoffset": -4, "pingtime": 1.933184, "minping": 0.589705, "version": 70016, "subver": "/Satoshi:22.0.0/", "inbound": false, "bip152_hb_to": false, "bip152_hb_from": false, "startingheight": 740438, "synced_headers": 740459, "synced_blocks": 740459, "inflight": [ ], "relaytxes": true, "minfeefilter": 0.00001000, "addr_relay_enabled": true, "addr_processed": 1162, "addr_rate_limited": 0, "permissions": [ ], "bytessent_per_msg": { "addrv2": 12446, "feefilter": 32, "getaddr": 24, "getdata": 208477, "getheaders": 1053, "headers": 2014, "inv": 290117, "ping": 4288, "pong": 4288, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 299020, "verack": 24, "version": 127, "wtxidrelay": 24 }, "bytesrecv_per_msg": { "addrv2": 50298, "feefilter": 32, "getdata": 9382, "getheaders": 1053, "headers": 2014, "inv": 1818882, "ping": 4288, "pong": 4288, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 2487405, "verack": 24, "version": 126, "wtxidrelay": 24 }, "connection_type": "outbound-full-relay" }, { "id": 360, "addr": "127.0.0.1:40762", "addrbind": "127.0.0.1:8334", "network": "onion", "services": "0000000000000409", "servicesnames": [ "NETWORK", "WITNESS", "NETWORK_LIMITED" ], "lastsend": 1655023342, "lastrecv": 1655023341, "last_transaction": 1655023295, "last_block": 0, "bytessent": 2861542, "bytesrecv": 981210, "conntime": 1655007603, "timeoffset": 0, "pingtime": 0.653041, "minping": 0.491328, "version": 70016, "subver": "/Satoshi:23.0.0/", "inbound": true, "bip152_hb_to": false, "bip152_hb_from": false, "startingheight": 740438, "synced_headers": 740459, "synced_blocks": 740459, "inflight": [ ], "relaytxes": true, "minfeefilter": 0.00001000, "addr_relay_enabled": true, "addr_processed": 259, "addr_rate_limited": 0, "permissions": [ "noban", "relay", "mempool", "download" ], "bytessent_per_msg": { "addrv2": 41110, "feefilter": 32, "getdata": 31666, "getheaders": 1053, "headers": 2120, "inv": 1656503, "ping": 4224, "pong": 4224, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 1120321, "verack": 24, "version": 127, "wtxidrelay": 24 }, "bytesrecv_per_msg": { "addrv2": 11320, "feefilter": 32, "getaddr": 24, "getdata": 80585, "getheaders": 1053, "headers": 1802, "inv": 440301, "ping": 4224, "pong": 4224, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 437357, "verack": 24, "version": 126, "wtxidrelay": 24 }, "connection_type": "inbound" }, { "id": 413, "addr": "127.0.0.1:40796", "addrbind": "127.0.0.1:8334", "network": "onion", "services": "0000000000000000", "servicesnames": [ ], "lastsend": 1655023335, "lastrecv": 1655023335, "last_transaction": 0, "last_block": 0, "bytessent": 5204, "bytesrecv": 4168, "conntime": 1655011569, "timeoffset": 0, "pingtime": 0.509269, "minping": 0.387837, "version": 70016, "subver": "", "inbound": true, "bip152_hb_to": false, "bip152_hb_from": false, "startingheight": 0, "synced_headers": -1, "synced_blocks": -1, "inflight": [ ], "relaytxes": false, "minfeefilter": 0.00000000, "addr_relay_enabled": false, "addr_processed": 0, "addr_rate_limited": 0, "permissions": [ "noban", "relay", "mempool", "download" ], "bytessent_per_msg": { "feefilter": 32, "inv": 915, "ping": 3168, "pong": 800, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "verack": 24, "version": 127, "wtxidrelay": 24 }, "bytesrecv_per_msg": { "ping": 800, "pong": 3168, "sendaddrv2": 24, "verack": 24, "version": 152 }, "connection_type": "inbound" }, { "id": 455, "addr": "eujxmbxlrtcba4cvxvhq5htgmld2aaqtch64m4ebcmqwgyqoyblczgqd.onion:8333", "addrbind": "127.0.0.1:47806", "network": "onion", "services": "000000000000040d", "servicesnames": [ "NETWORK", "BLOOM", "WITNESS", "NETWORK_LIMITED" ], "lastsend": 1655023344, "lastrecv": 1655023338, "last_transaction": 1655023214, "last_block": 0, "bytessent": 606231, "bytesrecv": 808583, "conntime": 1655014219, "timeoffset": -4, "pingtime": 0.625654, "minping": 0.449602, "pingwait": 0.156138, "version": 70016, "subver": "/Satoshi:22.0.0/", "inbound": false, "bip152_hb_to": false, "bip152_hb_from": false, "startingheight": 740448, "synced_headers": 740459, "synced_blocks": 740459, "inflight": [ ], "relaytxes": true, "minfeefilter": 0.00001000, "addr_relay_enabled": true, "addr_processed": 1105, "addr_rate_limited": 0, "permissions": [ ], "bytessent_per_msg": { "addrv2": 6118, "feefilter": 32, "getaddr": 24, "getdata": 23507, "getheaders": 1053, "headers": 954, "inv": 567604, "ping": 2464, "pong": 2432, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 1754, "verack": 24, "version": 127, "wtxidrelay": 24 }, "bytesrecv_per_msg": { "addrv2": 48050, "feefilter": 32, "getdata": 244, "getheaders": 1053, "headers": 1272, "inv": 333075, "ping": 2432, "pong": 2432, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 419705, "verack": 24, "version": 126, "wtxidrelay": 24 }, "connection_type": "outbound-full-relay" }, { "id": 456, "addr": "sbofeqa3fqofkpwbmccsn5mvbxj3evud4v6fmqtotikpogatgn6j7hyd.onion:8333", "addrbind": "127.0.0.1:47810", "network": "onion", "services": "000000000000040d", "servicesnames": [ "NETWORK", "BLOOM", "WITNESS", "NETWORK_LIMITED" ], "lastsend": 1655023344, "lastrecv": 1655023306, "last_transaction": 1655023306, "last_block": 0, "bytessent": 616354, "bytesrecv": 676408, "conntime": 1655014248, "timeoffset": -4, "pingtime": 0.865449, "minping": 0.671337, "version": 70016, "subver": "/Satoshi:22.0.0/", "inbound": false, "bip152_hb_to": false, "bip152_hb_from": false, "startingheight": 740448, "synced_headers": 740457, "synced_blocks": 740457, "inflight": [ ], "relaytxes": true, "minfeefilter": 0.00001000, "addr_relay_enabled": true, "addr_processed": 1108, "addr_rate_limited": 0, "permissions": [ ], "bytessent_per_msg": { "addrv2": 7167, "feefilter": 32, "getaddr": 24, "getdata": 14049, "getheaders": 1053, "headers": 954, "inv": 586052, "ping": 2432, "pong": 2432, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 1870, "verack": 24, "version": 127, "wtxidrelay": 24 }, "bytesrecv_per_msg": { "addrv2": 47903, "feefilter": 32, "getdata": 341, "getheaders": 1053, "headers": 1060, "inv": 325392, "ping": 2432, "pong": 2432, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 295475, "verack": 24, "version": 126, "wtxidrelay": 24 }, "connection_type": "outbound-full-relay" }, { "id": 457, "addr": "jpmb7zzsxjovn4xngq2zt37ahvwhq452x46vx3rgutuhlmsxxyzth5ad.onion:8333", "addrbind": "127.0.0.1:47814", "network": "onion", "services": "0000000000000409", "servicesnames": [ "NETWORK", "WITNESS", "NETWORK_LIMITED" ], "lastsend": 1655023342, "lastrecv": 1655023343, "last_transaction": 1655023338, "last_block": 0, "bytessent": 486686, "bytesrecv": 4787026, "conntime": 1655014278, "timeoffset": -1, "pingtime": 0.8533230000000001, "minping": 0.802444, "version": 70016, "subver": "/Satoshi:23.0.0/", "inbound": false, "bip152_hb_to": false, "bip152_hb_from": false, "startingheight": 740448, "synced_headers": 740459, "synced_blocks": 740459, "inflight": [ ], "relaytxes": true, "minfeefilter": 0.00001000, "addr_relay_enabled": true, "addr_processed": 1137, "addr_rate_limited": 0, "permissions": [ ], "bytessent_per_msg": { "addrv2": 6624, "feefilter": 32, "getaddr": 24, "getdata": 331336, "getheaders": 1053, "headers": 1166, "inv": 112129, "ping": 2432, "pong": 2432, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 29169, "verack": 24, "version": 127, "wtxidrelay": 24 }, "bytesrecv_per_msg": { "addrv2": 48959, "feefilter": 32, "getdata": 1439, "getheaders": 1053, "headers": 1272, "inv": 1131884, "ping": 2432, "pong": 2432, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 3597235, "verack": 24, "version": 126, "wtxidrelay": 24 }, "connection_type": "outbound-full-relay" }, { "id": 476, "addr": "rsbtajonksuidqllfrnpdd2ezimova72slaj7lgdvlhpssgrrgqwycqd.onion:8333", "addrbind": "127.0.0.1:47852", "network": "onion", "services": "0000000000000409", "servicesnames": [ "NETWORK", "WITNESS", "NETWORK_LIMITED" ], "lastsend": 1655023339, "lastrecv": 1655023344, "last_transaction": 1655023340, "last_block": 0, "bytessent": 400280, "bytesrecv": 4935727, "conntime": 1655015796, "timeoffset": -5, "pingtime": 0.756, "minping": 0.404565, "version": 70016, "subver": "/Satoshi:22.0.0/", "inbound": false, "bip152_hb_to": false, "bip152_hb_from": false, "startingheight": 740449, "synced_headers": 740459, "synced_blocks": 740459, "inflight": [ ], "relaytxes": true, "minfeefilter": 0.00001000, "addr_relay_enabled": true, "addr_processed": 1079, "addr_rate_limited": 0, "permissions": [ ], "bytessent_per_msg": { "addrv2": 5571, "feefilter": 32, "getaddr": 24, "getdata": 298459, "getheaders": 1053, "headers": 636, "inv": 66047, "ping": 2016, "pong": 2016, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 24137, "verack": 24, "version": 127, "wtxidrelay": 24 }, "bytesrecv_per_msg": { "addrv2": 46591, "cmpctblock": 35810, "feefilter": 32, "getdata": 1988, "getheaders": 1053, "headers": 1166, "inv": 961561, "ping": 2016, "pong": 2016, "sendaddrv2": 24, "sendcmpct": 66, "sendheaders": 24, "tx": 3883206, "verack": 24, "version": 126, "wtxidrelay": 24 }, "connection_type": "outbound-full-relay" } ]
In the above case, by giving it enough time, it did manage to make 3 inbound connections, 2 block relay, and 7 outbound. So the expectation here is that there are probably a plentiful harvest of unreachable nodes over tor, and in a number of these cases, they are either configured incorrectly, or these nodes/hosts simply have not allowed inbound connections to an outbound request.
I do have 3 inbound connections, and this should verify that bitcoind is indeed able to make some inbound requests and accept them. This is a positive indicator that the same should be possible for lnd also.
It is very likely that tor configured nodes are not always reachable in the first place, are nodes that are shut down, have refused connection, and the Warnings in Lnd are genuine reports of nodes that are simply not reachable from the other end. inactive, or not accepting requests. This is commonplace is what I am getting at, not every nodes will allow connection for various reasons.
Important in the bitcoin setup, was creating a second port and hidden service for 8334. I placed lnd port 9735, and 8333/8334 hidden service ports in the same directory to create a matching .onion service address in all cases.
I don't know with full confidence that the additional port 8334, is required, as listen=1 and listenonion=1 in the bitcoin.conf should allow inbound connections, but for safe measure it is possible that bitcoin's listening port is commonly on 8334 and not 8333, so I have included both to ensure that this remains the case. I have no issue either with have the second open port.
It also creates a service .onion address using the torcontrol and password, to allow listening. By exclusively setting an hidden service address with externalip flag in bitcoind, I have read in places that listening is not turned on by default over there, and when listen=1 and/or listenonion=1 are passed in bitcoin.conf, to allow inbound, it automatically creates a service .onion address with the tor controller.
I can otherwise advertise the hidden-service address since I simply want to know I have a static node address, and the inbound connections are largely for supporting the network over tor (so other onion services have a place to call for outbound connections, you're welcome tor) and also to verify this can be also done in lnd. I also prefer the fullest functionality in a tor-only environment as preference, and would like to ensure that the channels I create are generally fully open both inbound/outbound over tor.
In the docs it is noted that inbound connections are turned off by default, but I have passed the tor.control and tor.password -
Hashed Password solving some tor issues - I find that using hashed password also avoids some errors with bitcoind uses tor. The safecookieauth method contains permission issues when bitcoind runs as admin and then tor runs with sudo -u debian-tor tor, I found using the hashed password removed issues with tor running as its own user separate from the admin account user. In short, no amount of chowning or chmodding was really effective at allowing it to be readable by both. And there seem to be an issue with adding them both to group readable, something in tor is still preventing from this happening. And in a previous update they did not allow this to passed to chmod g=r+s, tor will give the response that this is too permissive.
Hidden Service Directories - I placed the hidden services in the home directory, rather than var/lib/to, where this would already create added tor privacy by not choosing the default location, and it prevents any issues with tor not running due to the hidden service directories being too permissive, or permission denied.
So tor is set this way and it works much better, allowing more ideal conditions to pass tor.
Tor control and Tor Password seem to be an ideal authentication method, in my case at least.
Further to above, I set tor.v3=1/true, since I have noticed in your documentation, that lnd does not automatically allow inbound connection if this is not passed. I have tcp resolution allowing in the ipv4-firewall.sh rules, and so this should meet the requirements for tor.dns. As per the documentation, this should allow inbound connections with lnd.
My assumption is that, like bitcoind, lnd will create its own service address, and the externalip can be used to pass the static hidden service address otherwise, and this should not cause any issue.
I also removed any port specification so that default ports can be passed (9735, 8333, 9051, 9052) on the lnd.conf including the externalip flag. Since it is possible lnd may wish to pass port 8333 on the externalip when listing the host:port of the node by default. I noticed all the errors were with connections to hosts on port :8333 and I had hoped that the symmetry would prevent any issues with the ports being listed differently. Either way 9735, 8333 9050 9052 should all be open. So it should have no issue reaching the outside.
Is it that lnd is not configured to allow inbound by default over tor, and there is no way to configure for this to be allowed without also having p2p ipv4 connection? I tried turning stream isolation both on and off and this did not help. I removed tor.dns and it automatically grabbed all 3 DNS locations anyway, and this is probably better but leaving it on to sea.nodes.lightning.directory:53 I passed based on the documentation, so that a tor.dns flag was set to eliminate any issue with inbound being configured to be off.
I have also tried turning off tor.streamisolation and this did not help, so I've left it on since I do actually prefer this is an inbound request is to be made, it adds privacy on the inbound side which is preferable as long as I still have the static address additional (same as bitcoin.conf listen=1 configuration). I have no complaint about this at any rate.
And that is as far as I have been able to get.
It is possible that this is simply a case of many nodes being genuinely unreachable, since their tor proxy or hidden service is again, either not configured properly, the node is not active, or the inbound connections are blocked since these tor nodes have a firewall or port blocked also. The torsocks.conf by default has the flag AllowInbound=1 commented by default, meaning Inbound connections are turned off by default with the 127.0.0.1:9050 proxy. So the case is that most users will not have configured the tor proxy of their nodes to allow inbound, and outgoing requests might be frequently met with "unreachable" because of this default setting.
I am trying to support the network both inbound and outbound is my goal, and so I left these uncommented in the torsock.conf, this is a personal choice since I wish to help the network. Perhaps other users are unaware that torsocks on port 9050 in the act of protecting their privacy, has limited this availability to other parts of the tor network (and of course most may not wish to allow exiting/not everyone wants to do so, etc) but are just generally uneducated that the socks port is preventing other parts of the network to make these calls by default.
Either way, the above expectation is there is already a large slew of onion nodes that have masked their ip, but not helped the network over tor using the proxy method prescribed by default.
And that's all I have for now.
I will send a print of a recent session run of ./lnd from go/bin to reiterate any of the above changes and their effects, and this time I will allow it to run a couple days in case I ever do find a peer that is reachable or an inbound request becomes successful. Again, perhaps this is entirely an issue of a not-otherwise-strong use of the tor network for lnd, so it may be resolved with a negligible issue with any of the above, but rather a note that the tor network usage is evolving and is thankful for the assistance of nodes that correctly configure their tor nodes to support the network.
I would like to until receiving a peer connection, assume the worst that there is an issue with lnd or proxy configuration, until I can confirm that there really is not and be able to bypass it to the general tor network strength. At which point validation would suffice and could also assist others if they are ever wishing to duplicate any of the above advanced settings themselves.
(tor.socks-9050 is set on this run) sudo truncate --size=0 ~/.lnd/logs/bitcoin/mainnet/lnd.log ./lnd --debuglevel=CMGR=debug
lnd.log prints:
2022-06-12 05:33:09.313 [WRN] LTND: Invoice hold expiry delta: 0 <= incoming delta: 10, accepted hold invoices will force close channels if they are not canceled manually
2022-06-12 05:33:09.313 [INF] LTND: Version: 0.15.0-beta.rc4 commit=v0.15.0-beta.rc4, build=production, logging=default, debuglevel=CMGR=debug
2022-06-12 05:33:09.313 [INF] LTND: Active chain: Bitcoin (network=mainnet)
2022-06-12 05:33:09.315 [INF] PROM: Prometheus exporter started on 127.0.0.1:8989/metrics
2022-06-12 05:33:09.315 [INF] RPCS: RPC server listening on 127.0.0.1:10009
2022-06-12 05:33:09.326 [INF] RPCS: gRPC proxy started at 127.0.0.1:8081
2022-06-12 05:33:09.327 [INF] LTND: Opening the main database, this might take a few minutes...
2022-06-12 05:33:09.327 [INF] LTND: Opening bbolt database, sync_freelist=false, auto_compact=false
2022-06-12 05:33:09.356 [INF] LTND: Creating local graph and channel state DB instances
2022-06-12 05:33:09.425 [INF] CHDB: Checking for schema update: latest_version=27, db_version=27
2022-06-12 05:33:09.425 [INF] LTND: Database(s) now open (time_to_open=97.885262ms)!
2022-06-12 05:33:09.425 [INF] LTND: We're not running within systemd or the service type is not 'notify'
2022-06-12 05:33:09.425 [INF] LTND: Waiting for wallet encryption password. Use lncli create to create a wallet, lncli unlock to unlock an existing wallet, or lncli changepassword to change the password of an existing wallet and unlock it.
2022-06-12 05:33:27.335 [INF] LNWL: Opened wallet
2022-06-12 05:33:27.453 [INF] CHRE: Primary chain is set to: bitcoin
2022-06-12 05:33:27.484 [INF] CHRE: Initializing bitcoind backed fee estimator in CONSERVATIVE mode
2022-06-12 05:33:27.484 [INF] LNWL: Started listening for bitcoind block notifications via ZMQ on 127.0.0.1:28332
2022-06-12 05:33:27.484 [INF] LNWL: Started listening for bitcoind transaction notifications via ZMQ on 127.0.0.1:28333
2022-06-12 05:33:29.238 [INF] LNWL: The wallet has been unlocked without a time limit
2022-06-12 05:33:29.243 [INF] CHRE: LightningWallet opened
2022-06-12 05:33:29.265 [INF] SRVR: Proxying all network traffic via Tor (stream_isolation=true)! NOTE: Ensure the backend node is proxying over Tor as well
2022-06-12 05:33:29.265 [INF] TORC: Starting tor controller
2022-06-12 05:33:29.270 [INF] HSWC: Cleaning circuits from disk for closed channels
2022-06-12 05:33:29.270 [INF] HSWC: Finished cleaning: no closed channels found, no actions taken.
2022-06-12 05:33:29.270 [INF] HSWC: Restoring in-memory circuit state from disk
2022-06-12 05:33:29.271 [INF] HSWC: Payment circuits loaded: num_pending=0, num_open=0
2022-06-12 05:33:29.277 [INF] LTND: Channel backup proxy channel notifier starting
2022-06-12 05:33:29.277 [INF] ATPL: Instantiating autopilot with active=true, max_channels=5, allocation=0.600000, min_chan_size=20000, max_chan_size=20000, private=true, min_confs=1, conf_target=3
2022-06-12 05:33:29.278 [INF] LTND: We're not running within systemd or the service type is not 'notify'
2022-06-12 05:33:29.279 [INF] LTND: Waiting for chain backend to finish sync, start_height=740462
2022-06-12 05:33:30.259 [INF] LNWL: Started rescan from block 0000000000000000000607d815ec84e40b128c9eb365ddd2a6415c67478aaaa5 (height 740462) for 1 address
2022-06-12 05:33:30.263 [INF] LNWL: Catching up block hashes to height 740462, this might take a while
2022-06-12 05:33:30.264 [INF] LNWL: Done catching up block hashes
2022-06-12 05:33:30.265 [INF] LNWL: Finished rescan for 1 address (synced to block 0000000000000000000607d815ec84e40b128c9eb365ddd2a6415c67478aaaa5, height 740462)
2022-06-12 05:33:30.287 [INF] LTND: Chain backend is fully synced (end_height=740462)!
2022-06-12 05:33:30.287 [WRN] HLCK: check: disk space configured with 0 attempts, skipping it
2022-06-12 05:33:30.287 [WRN] HLCK: check: tls configured with 0 attempts, skipping it
2022-06-12 05:33:30.287 [WRN] HLCK: check: tor connection configured with 0 attempts, skipping it
2022-06-12 05:33:30.287 [INF] LNWL: SigPool starting
2022-06-12 05:33:30.294 [INF] CHNF: ChannelNotifier starting
2022-06-12 05:33:30.294 [INF] PRNF: PeerNotifier starting
2022-06-12 05:33:30.294 [INF] HSWC: HtlcNotifier starting
2022-06-12 05:33:30.294 [INF] SWPR: Sweeper starting
2022-06-12 05:33:30.294 [INF] UTXN: UTXO nursery starting
2022-06-12 05:33:30.294 [INF] NTFN: New block epoch subscription
2022-06-12 05:33:30.296 [INF] BRAR: Breach arbiter starting
2022-06-12 05:33:30.296 [INF] NTFN: New block epoch subscription
2022-06-12 05:33:30.297 [INF] FNDG: Funding manager starting
2022-06-12 05:33:30.297 [INF] HSWC: HTLC Switch starting
2022-06-12 05:33:30.297 [INF] BRAR: Starting contract observer, watching for breaches.
2022-06-12 05:33:30.298 [INF] NTFN: New block epoch subscription
2022-06-12 05:33:30.298 [INF] CNCT: ChainArbitrator starting
2022-06-12 05:33:30.298 [INF] DISC: Authenticated Gossiper starting
2022-06-12 05:33:30.298 [INF] NTFN: New block epoch subscription
2022-06-12 05:33:30.298 [INF] NTFN: New block epoch subscription
2022-06-12 05:33:30.300 [INF] CRTR: Channel Router starting
2022-06-12 05:33:30.302 [INF] CRTR: FilteredChainView starting
2022-06-12 05:33:30.325 [INF] CRTR: Filtering chain using 2446 channels active
2022-06-12 05:33:30.332 [INF] CRTR: Prune tip for Channel Graph: height=740462, hash=0000000000000000000607d815ec84e40b128c9eb365ddd2a6415c67478aaaa5
2022-06-12 05:33:30.336 [INF] INVC: InvoiceRegistry starting
2022-06-12 05:33:30.336 [INF] NTFN: New block epoch subscription
2022-06-12 05:33:30.336 [INF] HSWC: Onion processor starting
2022-06-12 05:33:30.338 [INF] NTFN: New block epoch subscription
2022-06-12 05:33:30.338 [INF] NANN: Channel Status Manager starting
2022-06-12 05:33:30.339 [INF] CHFT: ChannelEventStore starting
2022-06-12 05:33:30.339 [INF] CHFT: Adding 0 channels to event store
2022-06-12 05:33:30.339 [INF] CHBU: chanbackup.SubSwapper starting
2022-06-12 05:33:30.342 [INF] CHBU: Updating backup file at /home/starchild/.lnd/data/chain/bitcoin/mainnet/channel.backup
2022-06-12 05:33:30.344 [INF] CHBU: Swapping old multi backup file from /home/starchild/.lnd/data/chain/bitcoin/mainnet/temp-dont-use.backup to /home/starchild/.lnd/data/chain/bitcoin/mainnet/channel.backup
2022-06-12 05:33:30.348 [INF] BTCN: Server listening on 127.0.0.1:9735
2022-06-12 05:33:30.348 [INF] SRVR: Initializing peer network bootstrappers!
2022-06-12 05:33:30.348 [INF] SRVR: Creating DNS peer bootstrapper with seeds: [[nodes.lightning.directory soa.nodes.lightning.directory] [lseed.bitcoinstats.com ]]
2022-06-12 05:33:30.349 [INF] ATPL: Autopilot Agent starting
2022-06-12 05:33:30.349 [INF] DISC: Attempting to bootstrap with: Authenticated Channel Graph
2022-06-12 05:33:30.353 [INF] DISC: Obtained 4 addrs to bootstrap network with
2022-06-12 05:33:32.706 [INF] SRVR: Established connection to: 022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0@213.174.156.81:9735
2022-06-12 05:33:32.707 [INF] SRVR: Finalizing connection to 022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0@213.174.156.81:9735, inbound=false
2022-06-12 05:33:33.300 [INF] NTFN: New block epoch subscription
2022-06-12 05:33:33.300 [INF] PEER: Negotiated chan series queries with 022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0
2022-06-12 05:33:33.300 [INF] DISC: Creating new GossipSyncer for peer=022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0
2022-06-12 05:33:33.300 [INF] DISC: GossipSyncer(022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0): requesting new chans from height=0 and 740462 blocks after
2022-06-12 05:33:34.292 [INF] DISC: GossipSyncer(022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0): buffering chan range reply of size=8000
2022-06-12 05:33:34.840 [INF] DISC: GossipSyncer(022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0): buffering chan range reply of size=7999
2022-06-12 05:33:35.354 [INF] DISC: Attempting to bootstrap with: BOLT-0010 DNS Seed: [[nodes.lightning.directory soa.nodes.lightning.directory] [lseed.bitcoinstats.com ]]
2022-06-12 05:33:35.389 [INF] DISC: GossipSyncer(022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0): buffering chan range reply of size=7997
2022-06-12 05:33:36.046 [INF] DISC: GossipSyncer(022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0): buffering chan range reply of size=7998
2022-06-12 05:33:36.599 [INF] DISC: GossipSyncer(022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0): buffering chan range reply of size=7999
2022-06-12 05:33:37.029 [INF] DISC: GossipSyncer(022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0): buffering chan range reply of size=7998
2022-06-12 05:33:37.030 [INF] SRVR: Established connection to: 02abbaa2bce7a353ec0624cfb91d19a3a6024d9bebdd96e79e6f289ea6915790e4@veur2fyjb7pzev6opgmgjjipllk4o5rqfakp32qxmgcu4tv47ssjgkyd.onion:9735
2022-06-12 05:33:37.031 [INF] SRVR: Finalizing connection to 02abbaa2bce7a353ec0624cfb91d19a3a6024d9bebdd96e79e6f289ea6915790e4@veur2fyjb7pzev6opgmgjjipllk4o5rqfakp32qxmgcu4tv47ssjgkyd.onion:9735, inbound=false
2022-06-12 05:33:37.114 [INF] DISC: GossipSyncer(022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0): buffering chan range reply of size=8000
2022-06-12 05:33:37.295 [INF] DISC: GossipSyncer(022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0): buffering chan range reply of size=7996
2022-06-12 05:33:37.508 [INF] SRVR: Established connection to: 02abbaa2bce7a353ec0624cfb91d19a3a6024d9bebdd96e79e6f289ea6915790e4@167.99.176.145:9735
2022-06-12 05:33:37.508 [INF] PEER: disconnecting 02abbaa2bce7a353ec0624cfb91d19a3a6024d9bebdd96e79e6f289ea6915790e4@veur2fyjb7pzev6opgmgjjipllk4o5rqfakp32qxmgcu4tv47ssjgkyd.onion:9735, reason: server: disconnecting peer 02abbaa2bce7a353ec0624cfb91d19a3a6024d9bebdd96e79e6f289ea6915790e4@veur2fyjb7pzev6opgmgjjipllk4o5rqfakp32qxmgcu4tv47ssjgkyd.onion:9735
2022-06-12 05:33:37.508 [INF] SRVR: Finalizing connection to 02abbaa2bce7a353ec0624cfb91d19a3a6024d9bebdd96e79e6f289ea6915790e4@167.99.176.145:9735, inbound=false
2022-06-12 05:33:37.610 [INF] DISC: GossipSyncer(022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0): buffering chan range reply of size=5272
2022-06-12 05:33:37.610 [INF] DISC: GossipSyncer(022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0): filtering through 69259 chans
2022-06-12 05:33:37.724 [INF] DISC: GossipSyncer(022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0): starting query for 68795 new chans
2022-06-12 05:33:37.725 [INF] DISC: GossipSyncer(022c260f9ad58196af280c80a96ec9eabf6404df59ff1a7553b0f381c875a29ba0): querying for 500 new channels
2022-06-12 05:33:37.812 [INF] PEER: Negotiated chan series queries with 02abbaa2bce7a353ec0624cfb91d19a3a6024d9bebdd96e79e6f289ea6915790e4
2022-06-12 05:33:37.812 [INF] DISC: Creating new GossipSyncer for peer=02abbaa2bce7a353ec0624cfb91d19a3a6024d9bebdd96e79e6f289ea6915790e4
2022-06-12 05:33:37.812 [INF] NTFN: New block epoch subscription
2022-06-12 05:33:37.996 [INF] DISC: GossipSyncer(02abbaa2bce7a353ec0624cfb91d19a3a6024d9bebdd96e79e6f289ea6915790e4): applying new update horizon: start=2106-02-07 01:28:15 -0500 EST, end=2242-03-16 08:56:30 -0400 EDT, backlog_size=0
2022-06-12 05:33:40.204 [WRN] BTCN: Query(0) from peer dyh7gsaxlvyutizlrtziei2msfs7ke7bhphfuu4qqoes2orsxzxryzad.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:33:40.205 [WRN] BTCN: Query(1) from peer 475kwludm6mzxnaax4uex6cy45nvghon4iw7l4fcdmpjcw5422y4ddid.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:33:41.999 [INF] DISC: Obtained 2 addrs to bootstrap network with
2022-06-12 05:33:44.205 [WRN] BTCN: Query(0) from peer dyh7gsaxlvyutizlrtziei2msfs7ke7bhphfuu4qqoes2orsxzxryzad.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:33:44.206 [WRN] BTCN: Query(1) from peer 475kwludm6mzxnaax4uex6cy45nvghon4iw7l4fcdmpjcw5422y4ddid.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:33:44.212 [INF] SRVR: Established connection to: 026748b567640ddf9679d1b96d7621c94e81afadac07fc6088c92b456ca8f85495@51.158.31.0:4026
2022-06-12 05:33:44.212 [INF] SRVR: Finalizing connection to 026748b567640ddf9679d1b96d7621c94e81afadac07fc6088c92b456ca8f85495@51.158.31.0:4026, inbound=false
2022-06-12 05:33:44.656 [INF] PEER: Negotiated chan series queries with 026748b567640ddf9679d1b96d7621c94e81afadac07fc6088c92b456ca8f85495
2022-06-12 05:33:44.656 [INF] DISC: Creating new GossipSyncer for peer=026748b567640ddf9679d1b96d7621c94e81afadac07fc6088c92b456ca8f85495
2022-06-12 05:33:44.656 [INF] NTFN: New block epoch subscription
2022-06-12 05:33:46.723 [WRN] BTCN: Query(2) from peer dyh7gsaxlvyutizlrtziei2msfs7ke7bhphfuu4qqoes2orsxzxryzad.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:33:46.906 [WRN] BTCN: Query(3) from peer 475kwludm6mzxnaax4uex6cy45nvghon4iw7l4fcdmpjcw5422y4ddid.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:33:48.100 [INF] SRVR: Established connection to: 02113fba7b4a54068a335b2a042fd889138f6eb3c791eea6435e144cde90409d47@150.220.103.131:9735
2022-06-12 05:33:48.100 [INF] SRVR: Finalizing connection to 02113fba7b4a54068a335b2a042fd889138f6eb3c791eea6435e144cde90409d47@150.220.103.131:9735, inbound=false
2022-06-12 05:33:48.789 [INF] PEER: Negotiated chan series queries with 02113fba7b4a54068a335b2a042fd889138f6eb3c791eea6435e144cde90409d47
2022-06-12 05:33:48.789 [INF] DISC: Creating new GossipSyncer for peer=02113fba7b4a54068a335b2a042fd889138f6eb3c791eea6435e144cde90409d47
2022-06-12 05:33:48.789 [INF] NTFN: New block epoch subscription
2022-06-12 05:33:50.276 [ERR] SRVR: Unable to connect to 02b80cabdf82638aac86948e4c06e82064f547768dcef977677b9ea931ea75bab5@138.68.244.82:9735: dial proxy failed: socks connect tcp 127.0.0.1:9050->138.68.244.82:9735: unknown error general SOCKS server failure
2022-06-12 05:33:50.724 [WRN] BTCN: Query(2) from peer dyh7gsaxlvyutizlrtziei2msfs7ke7bhphfuu4qqoes2orsxzxryzad.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:33:50.907 [WRN] BTCN: Query(3) from peer 475kwludm6mzxnaax4uex6cy45nvghon4iw7l4fcdmpjcw5422y4ddid.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:33:58.726 [WRN] BTCN: Query(2) from peer dyh7gsaxlvyutizlrtziei2msfs7ke7bhphfuu4qqoes2orsxzxryzad.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:33:58.908 [WRN] BTCN: Query(3) from peer 475kwludm6mzxnaax4uex6cy45nvghon4iw7l4fcdmpjcw5422y4ddid.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:34:06.372 [WRN] BTCN: Query(4) from peer dyh7gsaxlvyutizlrtziei2msfs7ke7bhphfuu4qqoes2orsxzxryzad.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:34:10.373 [WRN] BTCN: Query(4) from peer dyh7gsaxlvyutizlrtziei2msfs7ke7bhphfuu4qqoes2orsxzxryzad.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:34:10.373 [WRN] BTCN: Query(4) failed with error: did not get response before timeout. Timing out.
2022-06-12 05:34:13.707 [WRN] BTCN: Query(5) from peer 475kwludm6mzxnaax4uex6cy45nvghon4iw7l4fcdmpjcw5422y4ddid.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:34:13.707 [WRN] BTCN: Query(5) failed with error: did not get response before timeout. Timing out.
2022-06-12 05:34:17.707 [WRN] BTCN: Query(5) from peer 475kwludm6mzxnaax4uex6cy45nvghon4iw7l4fcdmpjcw5422y4ddid.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:34:18.374 [WRN] BTCN: Query(4) from peer dyh7gsaxlvyutizlrtziei2msfs7ke7bhphfuu4qqoes2orsxzxryzad.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:34:25.158 [WRN] BTCN: Query(6) from peer dyh7gsaxlvyutizlrtziei2msfs7ke7bhphfuu4qqoes2orsxzxryzad.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:34:25.158 [WRN] BTCN: Query(6) failed with error: did not get response before timeout. Timing out.
2022-06-12 05:34:25.708 [WRN] BTCN: Query(5) from peer 475kwludm6mzxnaax4uex6cy45nvghon4iw7l4fcdmpjcw5422y4ddid.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:34:29.159 [WRN] BTCN: Query(6) from peer dyh7gsaxlvyutizlrtziei2msfs7ke7bhphfuu4qqoes2orsxzxryzad.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:34:34.542 [WRN] BTCN: Query(7) from peer x7z4axhkzyehhbvlxew74mygsopithpl4j3rw23oa5gfcvdluyyawead.onion:8333 failed, rescheduling: did not get response before timeout
2022-06-12 05:34:34.542 [WRN] BTCN: Query(7) failed with error: did not get response before timeout. Timing out.
2022-06-12 05:34:37.161 [WRN] BTCN: Query(6) from peer dyh7gsaxlvyutizlrtziei2msfs7ke7bhphfuu4qqoes2orsxzxryzad.onion:8333 failed, rescheduling: did not get response before timeout
guggero
Background
I have spent a lot of time trying to configure tor proxy with lnd and have yet to find the correct way to set this up to work.
Your environment
*lnd version 0.15.0-beta.rc4 commit=v0.15.0-beta.rc4
*Linux Kali/Debian Custom 5.16.14-custom #20220330 SMP PREEMPT Wed Mar 30 10:14:41 EDT 2022 x86_64 GNU/Linux Custom kernel is Kali 5.16.14 kernel with an additional flag to synchronize system compiler with kernel compiler for a header build of Kali/Debian. Kali 2022.2 and Debian-11 In summary.
bitcoind is backend compiled from bitcoin-core master: Bitcoin Core RPC client version v23.99.0-g51527ec1ec4264f7e24ef548bb049db07a89fc7f Compiled with: ./configure BDB_LIBS="-L${BDB_PREFIX}/lib -ldb_cxx-4.8" BDB_CFLAGS="-I${BDB_PREFIX}/include" --enable-wallet --enable-usdt --with-qrencode --with-zmq --with-mpgen=yes --with-sqlite3 --with-gui --with-miniupnpc --with-natpmp --enable-hardening And additional steps for multiprocess=1
lnd Was compiled with all additional dev flags as per make release-install. Run from /go/bin with ./lnd or /lncli
A NAT environment has been custom placed with iptables with a script blocking all outgoing and income traffic except for open ports designated under iptables rules. -> this is where I began noticing errors as it seems this is likely a port forwarding issue which lnd is not compatible with
Steps to reproduce
I will submit here the config files in iptables.sh, torrc, lnd.conf, and bitcoin.conf to try and locate the concern in question with redacted portions.
iptables.sh (this is a hand-tailored firewall I made myself off of https://github.com/krabelize/advanced-iptables-and-ip6tables-persistent-firewall/blob/master/4iptables.sh), which after solving any troubleshooting, I will likely submit there as a custom fit solution to the original script:
!/bin/bash
By krabelize | cryptsus.com
Edit-Merge by SatoriHoshiAiko
Persistent IPv4 iptables firewall script
LOOPBACK="127.0.0.0/8" NIC_DATA="eth0" NIC_MGMT="eth0" SERVER_IP_DATA=$(hostname -I | awk '{print $1}') SERVER_IP_MGMT=$(hostname -I | awk '{print $1}') LOCAL_NETWORK="192.168.1.1/24" DNS1="1.1.1.1" DNS2="8.8.8.8"
Reset all IPv4 iptables rules
iptables -F iptables -X
Disallowing any IPv4 traffic as deny any any
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Allow loopback connections but block remote packets claming to be from the loopback interface
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -s $LOOPBACK ! -i lo -j DROP
Drop invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
################
INPUT rules
################
Allow incoming OpenVPN connections to this host
iptables -A INPUT -i $NIC_MGMT -p udp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p udp -s $SERVER_IP_MGMT -d 0/0 --sport 1194 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
RealVNC Services
iptables -A INPUT -i $NIC_MGMT -p udp -s 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p udp -s $SERVER_IP_MGMT -d 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 --sport 3478 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p udp -s 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 11000:20000 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p udp -s $SERVER_IP_MGMT -d 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 --sport 11000:20000 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow incoming HTTP(S) sessions for serving BTCPay or Website at Local Host
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 80 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 443 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow serving web content on 127.0.0.1:8080 and Lnd REST configured to 127.0.0.1:8081 (please set lndrest to 8081 in lnd.conf with restlisten=127.0.0.1:8081 (localhost:8081) and make 8080 available for other general web serving
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 8080 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 8081 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow incoming DNS resolving from the outside over tcp port 53 (lnd requires this for Tor)
iptables -A INPUT -i $NIC_MGMT -p tcp -s $DNS1 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d $DNS1 --sport 53 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s $DNS2 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d $DNS2 --sport 53 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow DNS resolving from the outside with udp also if desired
iptables -A INPUT -i $NIC_MGMT -p udp -s $DNS1 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p udp -s $SERVER_IP_MGMT -d $DNS1 --sport 53 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p udp -s $DNS2 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p udp -s $SERVER_IP_MGMT -d $DNS2 --sport 53 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow Bitcoin (8333), Lnd/Lightning (9735), Bitcoin RPC (8332) and Lnd RPC (10009) to Communicate with this host
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 8333 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 8333 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9735 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9735 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 8332 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 8332 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 10009 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 10009 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow ZMQ to be reachable from the outside - Off by default since ZMQ is only required locally between bitcoind and lnd/lightningd
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 28333 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 28333 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 28332 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 28332 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow your lightning node(s) Hidden Services (.onion external ip) to be reachable from the outside - bitcoind proxies on 8333 by default. lightningd can be configured to 1234, and and can be configured to 6969
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 1234 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 6969 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Bypass firewall for bitcoind lnd issues with Tor and Firewall
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 8333 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 8332 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 10009 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 9050 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 9051 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 9052 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 9735 -m state --state NEW,ESTABLISHED -j ACCEPT
Allow Hidden Service Ports and make Hidden Service Such as Content or Socket Reachable from Outside (Please Configure your ports in /etc/tor/torrc to match your Additional Hidden Services)
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport #### -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport #### --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport #### -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport #### --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow Tor Control Port 9051 and 9050/9052 (default configuration is 9050 for both, please set socks port separate for each instance of bitcoind lnd and verify as SocksPort #### in /etc/tor/torrc) - bitcoind and lightningd/lnd use this for Tor Nodes
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9050 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9050 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9051 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9051 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9052 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9052 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Additional Tor ports can be added as above, for hidden services or proxies to connect from the outside such as 9050 and 9100 for proxy, 9001 to advertise a relay location, 9090 if advertising a location other than 9001, Directories on 9030, or 9091 if on another port
Off by default since Tor Relay not being used
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9001 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9001 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9090 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9090 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9030 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9030 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_MGMT -p tcp -s 0/0 -d $SERVER_IP_MGMT --sport 32768:65535 --dport 9091 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_MGMT -p tcp -m tcp -s $SERVER_IP_MGMT -d 0/0 --sport 9091 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
#################
OUTPUT rules
#################
Allow outgoing SSH sessions
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 22 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow Bitcoin and Lnd P2P with Lightningd's Tor Port 1234 and customd lnd hidden service port 6969
**Configure torrc HiddenServicePort with 6969 127.0.0.1:9735 for lnd - 1234 127.0.0.1:9735 for lightningd - 8333 127.0.0.1:8333 under hidden services, to set an onion address for your node(s) as a hidden service. The some hidden service directory can be used for all 3 by setting different ports to each, and the same onion address will locate your nodes on different ports. Tor will port forward to the node(s) standard ports.
Bitcoin/Lightning/Lnd Ports
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 8333 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 8333 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9735 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9735 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
lightningd and lnd Hidden Service Ports (please configure to /etc/tor/torrc as "HiddenServicePort 1234 127.0.0.1 9735" and "HiddenServicePort 6969 127.0.0.1 9735")
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 1234 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 6969 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Bitcoind and Lnd RPC connections
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 8332 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 8332 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 10009 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 10009 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Optional expose ZMQ to internet, off by default sinze ZMQ is only required locally between bitcoin and lightning
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 28333 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 28333 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 28332 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 28332 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Open-NAT for bitcoind lnd Tor NAT/proxy issues - Off by default, for troubleshooting only
iptables -A OUTPUT -p tcp -m tcp -d 0/0 --dport 8333 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -d 0/0 --dport 8332 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -d 0/0 --dport 10009 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -d 0/0 --dport 9051 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -d 0/0 --dport 9050 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -d 0/0 --dport 9052 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -d 0/0 --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -d 0/0 --dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -d 0/0 --dport 9735 -m state --state NEW,ESTABLISHED -j ACCEPT
Allow Hidden-Services over Tor (Check /etc/tor/torrc and configure the configure or correct the default ports for your custom Hidden Services)
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport #### -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport #### --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport #### -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport #### --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow Tor Control Port/Proxy outbound traffic
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9050 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9050 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9051 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9051 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9052 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9052 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow Tor Relay and DataDir Outbound - Off by default unless using relay/datadir
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9001 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9001 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9090 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9090 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9030 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9030 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 9091 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NIC_DATA -p tcp -d $SERVER_IP_DATA -s 0/0 --sport 9091 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow outgoing DNS lookups (tcp is included here for lnd protocol) - Google (DNS2) Turned Off By Default - Google On for RealVNC over udp/tcp
iptables -A OUTPUT -o $NIC_DATA -p udp -s $SERVER_IP_DATA -d $DNS1 --sport 32768:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p udp -s $DNS1 -d $SERVER_IP_DATA --sport 53 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p udp -s $SERVER_IP_DATA -d $DNS2 --sport 32768:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p udp -s $DNS2 -d $SERVER_IP_DATA --sport 53 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d $DNS1 --sport 32768:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s $DNS1 -d $SERVER_IP_DATA --sport 53 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -s $SERVER_IP_DATA -d $DNS2 --sport 32768:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s $DNS2 -d $SERVER_IP_DATA --sport 53 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow outgoing ICMP ping requests
iptables -A OUTPUT -o $NIC_DATA -p icmp --icmp-type 8 -s $SERVER_IP_DATA -d 0/0 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p icmp --icmp-type 0 -d $SERVER_IP_DATA -s 0/0 -m state --state ESTABLISHED -j ACCEPT
Allow outgoing HTTP(S) sessions for apt-get update and wget and web-serving sessions
iptables -A OUTPUT -o $NIC_DATA -p tcp -m tcp -s $SERVER_IP_DATA --sport 32768:65535 -d 0/0 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s 0/0 -d $SERVER_IP_DATA --sport 80 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -m tcp -s $SERVER_IP_DATA --sport 32768:65535 -d 0/0 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s 0/0 -d $SERVER_IP_DATA --sport 443 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Use localhost for serving web content on 127.0.0.1:8080 and Lnd REST on 127.0.0.1:8081
iptables -A OUTPUT -o $NIC_DATA -p tcp -m tcp -s $SERVER_IP_DATA --sport 32768:65535 -d 0/0 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s 0/0 -d $SERVER_IP_DATA --sport 8080 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p tcp -m tcp -s $SERVER_IP_DATA --sport 32768:65535 -d 0/0 --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p tcp -s 0/0 -d $SERVER_IP_DATA --sport 8081 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow Feedback from RealVNC
iptables -A OUTPUT -o $NIC_DATA -p udp -s $SERVER_IP_DATA --sport 32768:65535 -d 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p udp -s 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 -d $SERVER_IP_DATA --sport 3478 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $NIC_DATA -p udp -s $SERVER_IP_DATA --sport 32768:65535 -d 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 --dport 11000:20000 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p udp -s 212.119.29.128/28,165.254.239.128/28,165.254.191.192/28 -d $SERVER_IP_DATA --sport 11000:20000 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow DHCP handshakes for dynamic network settings
iptables -A OUTPUT -o $NIC_DATA -p udp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 68 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $NIC_DATA -p udp -d $SERVER_IP_DATA -s 0/0 --sport 68 --dport 32768:65535 -m state --state ESTABLISHED -j ACCEPT
Allow outgoing NTP for time sync
iptables -A OUTPUT -o $NIC_DATA -p udp -s $SERVER_IP_DATA -d 0/0 --sport 32768:65535 --dport 123 -m state --state NEW -j ACCEPT iptables -A INPUT -i $NIC_DATA -p udp -d $SERVER_IP_DATA -s 0/0 --sport 123 --dport 32768:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
Make sure nothing else goes IN or OUT from this host
iptables -A INPUT -j DROP iptables -A OUTPUT -j DROP
Save IPv4 iptables config
iptables4.rules should be executed on boot by modifying /etc/network/if-pre-up.d/iptables
sudo sh -c "iptables-save > /sbin/scripts/iptables4.rules" sudo sh -c "netfilter-persistent save"
Please note - This is an unfinished template for ipv4 firewall/filter that is test-only for now, I believe this issue is going to see edits to the above that will solve issues with lnd
torrc flags -
SocksPort 9050 SocksPort 9052 RunAsDaemon 1 DataDirectory /redacted - privacy reasons ControlPort 9051 CookieAuthFile /redacted/control.authcookie - readable by lnd, bitcoind CookieAuthentication 1 CookieAuthFileGroupReadble 1
HiddenServiceDir /[Redacted bitcoind service location] HiddenServicePort 8333 127.0.0.1:8333
HiddenServiceDir /[redacted lnd service location] HiddenServicePort 6969 127.0.0.1:9735
HiddenServiceDir /[redacted lightningd service location] - C-Lightning is not currently being used in favor of lnd HiddenServicePort 1234 127.0.0.1:9735
HiddenServiceDir /[other hidden services redacted other ports] HiddenServicePort #### 127.0.0.1:####
HiddenServiceDir /[other hidden services redacted other ports] HiddenServicePort #### 127.0.0.1:####
bitcoin.conf -
mainnet=1 server=1 daemon=1 rpcauth=[redacted admin:hash] rpcallowip=[redacted public ip]/32 rpcbind=127.0.0.1 rpcport=8332 proxy=127.0.0.1:9050 listen=1 listenonion=1 bind=127.0.0.1:8333 zmqpubrawblock=tcp://127.0.0.1:28332 zmqpubrawtx=tcp://127.0.0.1:28333 whitelist=127.0.0.1 externalip=[redacted].onion:8333 onlynet=onion debug=tor seednode=2g5qfdkn2vvcbqhzcyvyiitg4ceukybxklraxjnu7atlhd22gdwywaid.onion:8333
seednode=2jmtxvyup3ijr7u6uvu7ijtnojx4g5wodvaedivbv74w4vzntxbrhvad.onion:8333 seednode=37m62wn7dz3uqpathpc4qfmgrbupachj52nt3jbtbjugpbu54kbud7yd.onion:8333 seednode=5g72ppm3krkorsfopcm2bi7wlv4ohhs4u4mlseymasn7g7zhdcyjpfid.onion:8333 seednode=7cgwjuwi5ehvcay4tazy7ya6463bndjk6xzrttw5t3xbpq4p22q6fyid.onion:8333 seednode=7pyrpvqdhmayxggpcyqn5l3m5vqkw3qubnmgwlpya2mdo6x7pih7r7id.onion:8333 seednode=b64xcbleqmwgq2u46bh4hegnlrzzvxntyzbmucn3zt7cssm7y4ubv3id.onion:8333 seednode=ejxefzf5fpst4mg2rib7grksvscl7p6fvjp6agzgfc2yglxnjtxc3aid.onion:8333 seednode=fjdyxicpm4o42xmedlwl3uvk5gmqdfs5j37wir52327vncjzvtpfv7yd.onion:8333 seednode=fpz6r5ppsakkwypjcglz6gcnwt7ytfhxskkfhzu62tnylcknh3eq6pad.onion:8333 seednode=fzhn4uoxfbfss7h7d6ffbn266ca432ekbbzvqtsdd55ylgxn4jucm5qd.onion:8333 seednode=gxo5anvfnffnftfy5frkgvplq3rpga2ie3tcblo2vl754fvnhgorn5yd.onion:8333 seednode=ifdu5qvbofrt4ekui2iyb3kbcyzcsglazhx2hn4wfskkrx2v24qxriid.onion:8333 seednode=itz3oxsihs62muvknc237xabl5f6w6rfznfhbpayrslv2j2ubels47yd.onion:8333 seednode=lrjh6fywjqttmlifuemq3puhvmshxzzyhoqx7uoufali57eypuenzzid.onion:8333 seednode=m7cbpjolo662uel7rpaid46as2otcj44vvwg3gccodnvaeuwbm3anbyd.onion:8333 seednode=opnyfyeiibe5qo5a3wbxzbb4xdiagc32bbce46owmertdknta5mi7uyd.onion:8333 seednode=owjsdxmzla6d7lrwkbmetywqym5cyswpihciesfl5qdv2vrmwsgy4uqd.onion:8333 seednode=q7kgmd7n7h27ds4fg7wocgniuqb3oe2zxp4nfe4skd5da6wyipibqzqd.onion:8333 seednode=rp7k2go3s5lyj3fnj6zn62ktarlrsft2ohlsxkyd7v3e3idqyptvread.onion:8333 seednode=sys54sv4xv3hn3sdiv3oadmzqpgyhd4u4xphv4xqk64ckvaxzm57a7yd.onion:8333 seednode=tddeij4qigtjr6jfnrmq6btnirmq5msgwcsdpcdjr7atftm7cxlqztid.onion:8333 seednode=vi5bnbxkleeqi6hfccjochnn65lcxlfqs4uwgmhudph554zibiusqnad.onion:8333 seednode=xqt25cobm5zqucac3634zfght72he6u3eagfyej5ellbhcdgos7t2had.onion:8333 dnsseed=0 dns=0 maxconnections=48 maxuploadtarget=8192 prune=2048 keypool=20480 assumevalid=1
lnd.conf -
alias=[alias] tor.active=1 tor.v3=true tor.streamisolation=true tor.targetipaddress=127.0.0.1 tor.socks=127.0.0.1:9052 tor.control=127.0.0.1:9051 tor.dns=soa.nodes.lightning.directory:53 tor.privatekeypath=[redacted custom location] - tic.cert tlc.key and v3 key are all in directory - points to v3 key externalip=[redacted].onion:6969 restlisten=127.0.0.1:8081 rpclisten=0.0.0.0:10009 listen=localhost:9735 bitcoin.active=true bitcoin.mainnet=1 bitcoin.node=bitcoind bitcoind.dir=[redacted]/.bitcoin bitcoind.rpchost=127.0.0.1 bitcoind.rpcuser=[redacted admin] bitcoind.rpcpass=[redacted pass] bitcoind.zmqpubrawblock=tcp://127.0.0.1:28332 bitcoind.zmqpubrawtx=tcp://127.0.0.1:28333
Final notes - all of tor, lnd, bitcoind, are run directly by admin user. Tor is not being run as a system service but by user directly. Ownership permissions have all been set to run as local admin user and the debian-tor group has been bypassed or committed with admin being owner of tor and controlling it.
It is possible that lnd runs tor as its own user, and therefore does not receive the same permissions such as to the hidden service directories. If lnd itself runs tor and as a member of the Debian-tor user group, it could most definitely run into conflict when it tries to use the hidden service directories as the directory permissions and use of tor, lnd, bitcoins are all done by admin and not the Debian-tor group in each case.
I will try allowing permissions to lnd hidden service to allow lnd rwx permissions on this folder.
Expected behaviour
Everything should be set to allow lnd to communicate with peers over tor. tcp/udp firewall that is built allows all the two-way connections only where required, and should have no issue using tor Socks proxy, should be able to port forward 9052 to 9735, and both ports are open two ways. DNS is available to 1.1.1.1 and 8.8.8.8 on both udp and tcp allowing any dns resolving to take place.
Peers on the network should be able to make inbound connections.
Everything should function as normal and succeed.
Actual behaviour
startup commands are
tor - run as user directly not as part of Debian-tor
echo is
Jun 09 02:44:35.484 [notice] Tor 0.4.7.7 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1o, Zlib 1.2.11, Liblzma 5.2.5, Libzstd 1.5.2 and Glibc 2.33 as libc. Jun 09 02:44:35.516 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/ Jun 09 02:44:35.516 [notice] Read configuration file "/etc/tor/torrc". Jun 09 02:44:35.547 [notice] Opening Socks listener on 127.0.0.1:9050 Jun 09 02:44:35.547 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9050 Jun 09 02:44:35.547 [notice] Opening Socks listener on 127.0.0.1:9052 Jun 09 02:44:35.547 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9052 Jun 09 02:44:35.547 [notice] Opening Control listener on 127.0.0.1:9051 Jun 09 02:44:35.547 [notice] Opened Control listener connection (ready) on 127.0.0.1:9051
A quick check of the tor proxy status shows:
curl --socks5 localhost:9050 --socks5-hostname localhost:9050 -s https://check.torproject.org/api/ip
{"IsTor":true,"IP":"[Redacted xx.xx.xx.xx]"}
curl --socks5 localhost:9052 --socks5-hostname localhost:9052 -s https://check.torproject.org/api/ip
{"IsTor":true,"IP":"[Redacted xx.xx.xx.xx]"}
bitcoin-qt
echo
Bitcoin-Core starting
runs fine, RPC is set, tor connections are not causing any bugs
cd ../go/bin ./lnd
echo
2022-06-09 03:29:08.291 [INF] LTND: Version: 0.15.0-beta.rc4 commit=v0.15.0-beta.rc4, build=production, logging=default, debuglevel=info 2022-06-09 03:29:08.292 [INF] LTND: Active chain: Bitcoin (network=mainnet) 2022-06-09 03:29:08.294 [INF] RPCS: RPC server listening on 0.0.0.0:10009 2022-06-09 03:29:08.305 [INF] RPCS: gRPC proxy started at 127.0.0.1:8081 2022-06-09 03:29:08.305 [INF] LTND: Opening the main database, this might take a few minutes... 2022-06-09 03:29:08.305 [INF] LTND: Opening bbolt database, sync_freelist=false, auto_compact=false 2022-06-09 03:29:08.346 [INF] LTND: Creating local graph and channel state DB instances 2022-06-09 03:29:08.389 [INF] CHDB: Checking for schema update: latest_version=27, db_version=27 2022-06-09 03:29:08.389 [INF] LTND: Database(s) now open (time_to_open=83.995626ms)! 2022-06-09 03:29:08.389 [INF] LTND: We're not running within systemd or the service type is not 'notify' 2022-06-09 03:29:08.389 [INF] LTND: Waiting for wallet encryption password. Use
lncli createto create a wallet,lncli unlockto unlock an existing wallet, orlncli changepasswordto change the password of an existing wallet and unlock it../lncli unlock
echo
lnd successfully unlocked!
./lnd terminal =
2022-06-09 03:30:01.588 [INF] LNWL: Opened wallet 2022-06-09 03:30:01.724 [INF] CHRE: Primary chain is set to: bitcoin 2022-06-09 03:30:01.759 [INF] CHRE: Initializing bitcoind backed fee estimator in CONSERVATIVE mode 2022-06-09 03:30:01.760 [INF] LNWL: Started listening for bitcoind block notifications via ZMQ on 127.0.0.1:28332 2022-06-09 03:30:01.761 [INF] LNWL: Started listening for bitcoind transaction notifications via ZMQ on 127.0.0.1:28333 2022-06-09 03:30:04.448 [INF] LNWL: The wallet has been unlocked without a time limit 2022-06-09 03:30:04.454 [INF] CHRE: LightningWallet opened 2022-06-09 03:30:04.475 [INF] SRVR: Proxying all network traffic via Tor (stream_isolation=true)! NOTE: Ensure the backend node is proxying over Tor as well 2022-06-09 03:30:04.475 [INF] TORC: Starting tor controller 2022-06-09 03:30:04.480 [INF] HSWC: Cleaning circuits from disk for closed channels 2022-06-09 03:30:04.480 [INF] HSWC: Finished cleaning: no closed channels found, no actions taken. 2022-06-09 03:30:04.480 [INF] HSWC: Restoring in-memory circuit state from disk 2022-06-09 03:30:04.481 [INF] HSWC: Payment circuits loaded: num_pending=0, num_open=0 2022-06-09 03:30:04.488 [INF] LTND: Channel backup proxy channel notifier starting 2022-06-09 03:30:04.488 [INF] ATPL: Instantiating autopilot with active=false, max_channels=5, allocation=0.600000, min_chan_size=20000, max_chan_size=16777215, private=false, min_confs=1, conf_target=3 2022-06-09 03:30:04.489 [INF] LTND: We're not running within systemd or the service type is not 'notify' 2022-06-09 03:30:04.491 [INF] LTND: Waiting for chain backend to finish sync, start_height=740013 2022-06-09 03:30:05.465 [INF] LNWL: Started rescan from block 00000000000000000002ecee70f4ac561abc9d5c4b7ad5ffceb849a91e84f4e1 (height 740013) for 1 address 2022-06-09 03:30:05.468 [INF] LNWL: Catching up block hashes to height 740013, this might take a while 2022-06-09 03:30:05.469 [INF] LNWL: Done catching up block hashes 2022-06-09 03:30:05.469 [INF] LNWL: Finished rescan for 1 address (synced to block 00000000000000000002ecee70f4ac561abc9d5c4b7ad5ffceb849a91e84f4e1, height 740013) 2022-06-09 03:30:05.498 [INF] LTND: Chain backend is fully synced (end_height=740013)! 2022-06-09 03:30:05.498 [WRN] HLCK: check: disk space configured with 0 attempts, skipping it 2022-06-09 03:30:05.498 [WRN] HLCK: check: tls configured with 0 attempts, skipping it 2022-06-09 03:30:05.498 [WRN] HLCK: check: tor connection configured with 0 attempts, skipping it 2022-06-09 03:30:05.498 [INF] LNWL: SigPool starting 2022-06-09 03:30:05.505 [INF] CHNF: ChannelNotifier starting 2022-06-09 03:30:05.505 [INF] PRNF: PeerNotifier starting 2022-06-09 03:30:05.505 [INF] HSWC: HtlcNotifier starting 2022-06-09 03:30:05.505 [INF] SWPR: Sweeper starting 2022-06-09 03:30:05.505 [INF] UTXN: UTXO nursery starting 2022-06-09 03:30:05.505 [INF] NTFN: New block epoch subscription 2022-06-09 03:30:05.507 [INF] NTFN: New block epoch subscription 2022-06-09 03:30:05.508 [INF] BRAR: Breach arbiter starting 2022-06-09 03:30:05.508 [INF] FNDG: Funding manager starting 2022-06-09 03:30:05.508 [INF] BRAR: Starting contract observer, watching for breaches. 2022-06-09 03:30:05.508 [INF] HSWC: HTLC Switch starting 2022-06-09 03:30:05.509 [INF] NTFN: New block epoch subscription 2022-06-09 03:30:05.509 [INF] CNCT: ChainArbitrator starting 2022-06-09 03:30:05.509 [INF] DISC: Authenticated Gossiper starting 2022-06-09 03:30:05.509 [INF] NTFN: New block epoch subscription 2022-06-09 03:30:05.509 [INF] NTFN: New block epoch subscription 2022-06-09 03:30:05.510 [INF] CRTR: Channel Router starting 2022-06-09 03:30:05.512 [INF] CRTR: FilteredChainView starting 2022-06-09 03:30:05.540 [INF] CRTR: Filtering chain using 2325 channels active 2022-06-09 03:30:05.544 [INF] CRTR: Prune tip for Channel Graph: height=740013, hash=00000000000000000002ecee70f4ac561abc9d5c4b7ad5ffceb849a91e84f4e1 2022-06-09 03:30:05.548 [INF] INVC: InvoiceRegistry starting 2022-06-09 03:30:05.548 [INF] HSWC: Onion processor starting 2022-06-09 03:30:05.548 [INF] NTFN: New block epoch subscription 2022-06-09 03:30:05.551 [INF] NTFN: New block epoch subscription 2022-06-09 03:30:05.551 [INF] NANN: Channel Status Manager starting 2022-06-09 03:30:05.552 [INF] CHFT: ChannelEventStore starting 2022-06-09 03:30:05.552 [INF] CHFT: Adding 0 channels to event store 2022-06-09 03:30:05.552 [INF] CHBU: chanbackup.SubSwapper starting 2022-06-09 03:30:05.557 [INF] CHBU: Updating backup file at /home/starchild/.lnd/data/chain/bitcoin/mainnet/channel.backup 2022-06-09 03:30:05.560 [INF] CHBU: Swapping old multi backup file from /home/starchild/.lnd/data/chain/bitcoin/mainnet/temp-dont-use.backup to /home/starchild/.lnd/data/chain/bitcoin/mainnet/channel.backup 2022-06-09 03:30:05.564 [INF] BTCN: Server listening on 127.0.0.1:9735 2022-06-09 03:30:05.564 [INF] SRVR: Initializing peer network bootstrappers! 2022-06-09 03:30:05.565 [INF] SRVR: Creating DNS peer bootstrapper with seeds: [[nodes.lightning.directory soa.nodes.lightning.directory] [lseed.bitcoinstats.com ]] 2022-06-09 03:30:05.565 [INF] DISC: Attempting to bootstrap with: BOLT-0010 DNS Seed: [[nodes.lightning.directory soa.nodes.lightning.directory] [lseed.bitcoinstats.com ]] 2022-06-09 03:30:09.148 [ERR] DISC: Unable to query bootstrapper BOLT-0010 DNS Seed: [[nodes.lightning.directory soa.nodes.lightning.directory] [lseed.bitcoinstats.com ]]: tor host is unreachable 2022-06-09 03:30:09.148 [INF] DISC: Attempting to bootstrap with: Authenticated Channel Graph 2022-06-09 03:30:09.151 [INF] DISC: Obtained 5 addrs to bootstrap network with 2022-06-09 03:30:10.154 [ERR] SRVR: Unable to connect to 02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9@[2a04:2180:1:7::7]:9735: tor general error 2022-06-09 03:30:10.154 [ERR] SRVR: Unable to connect to 02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9@[2a04:2180:1:7::7]:9735: tor general error 2022-06-09 03:30:11.684 [INF] SRVR: Established connection to: 02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9@185.25.48.148:9735 2022-06-09 03:30:11.684 [INF] SRVR: Finalizing connection to 02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9@185.25.48.148:9735, inbound=false 2022-06-09 03:30:12.292 [INF] NTFN: New block epoch subscription 2022-06-09 03:30:12.292 [INF] PEER: Negotiated chan series queries with 02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9 2022-06-09 03:30:12.292 [INF] DISC: Creating new GossipSyncer for peer=02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9 2022-06-09 03:30:12.292 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): requesting new chans from height=0 and 740013 blocks after 2022-06-09 03:30:12.335 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): applying new update horizon: start=2106-02-07 01:28:15 -0500 EST, end=2242-03-16 08:56:30 -0400 EDT, backlog_size=0 2022-06-09 03:30:13.186 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8186 2022-06-09 03:30:13.608 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8186 2022-06-09 03:30:13.720 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8186 2022-06-09 03:30:14.154 [INF] DISC: Attempting to bootstrap with: BOLT-0010 DNS Seed: [[nodes.lightning.directory soa.nodes.lightning.directory] [lseed.bitcoinstats.com ] 2022-06-09 03:30:14.295 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8185 2022-06-09 03:30:14.486 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8181 2022-06-09 03:30:14.626 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8186 2022-06-09 03:30:14.901 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8186 2022-06-09 03:30:15.064 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8185 2022-06-09 03:30:15.170 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8171 2022-06-09 03:30:15.312 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=6915 2022-06-09 03:30:15.312 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): filtering through 80567 chans 2022-06-09 03:30:15.430 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): starting query for 79486 new chans 2022-06-09 03:30:15.430 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): querying for 500 new channels 2022-06-09 03:30:18.535 [INF] SRVR: Established connection to: 02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9@185.25.48.114:9735 2022-06-09 03:30:18.535 [INF] PEER: disconnecting 02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9@185.25.48.148:9735, reason: server: disconnecting peer 02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9@185.25.48.148:9735 2022-06-09 03:30:18.535 [INF] NTFN: Cancelling epoch notification, epoch_id=8 2022-06-09 03:30:18.535 [INF] PEER: unable to read message from 02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9@185.25.48.148:9735: read tcp 127.0.0.1:51622->127.0.0.1:9052: use of closed network connection 2022-06-09 03:30:18.536 [INF] DISC: Removing GossipSyncer for peer=02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9 2022-06-09 03:30:18.536 [INF] SRVR: Finalizing connection to 02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9@185.25.48.114:9735, inbound=false 2022-06-09 03:30:18.909 [INF] PEER: Negotiated chan series queries with 02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9 2022-06-09 03:30:18.909 [INF] DISC: Creating new GossipSyncer for peer=02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9 2022-06-09 03:30:18.909 [INF] NTFN: New block epoch subscription 2022-06-09 03:30:18.909 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): requesting new chans from height=0 and 740013 blocks after 2022-06-09 03:30:18.909 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): applying new update horizon: start=2106-02-07 01:28:15 -0500 EST, end=2242-03-16 08:56:30 -0400 EDT, backlog_size=0 2022-06-09 03:30:19.603 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8186 2022-06-09 03:30:19.902 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8186 2022-06-09 03:30:20.052 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8186 2022-06-09 03:30:20.167 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8185 2022-06-09 03:30:20.225 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8181 2022-06-09 03:30:20.451 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8186 2022-06-09 03:30:20.498 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8186 2022-06-09 03:30:20.527 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8185 2022-06-09 03:30:20.559 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=8171 2022-06-09 03:30:20.698 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): buffering chan range reply of size=6915 2022-06-09 03:30:20.698 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): filtering through 80567 chans 2022-06-09 03:30:20.821 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): starting query for 79486 new chans 2022-06-09 03:30:20.821 [INF] DISC: GossipSyncer(02b67e8e5cdb3d80dc38736ec0f6378b6199a99d769aeded2c3460f548de8822d9): querying for 500 new channels 2022-06-09 03:30:24.002 [ERR] SRVR: Unable to connect to 027578e823ce91a00ef9576d3d24e0a21abfa3332ba186654730a0c8804cbb844b@173.249.48.168:9735: dial proxy failed: socks connect tcp 127.0.0.1:9052->173.249.48.168:9735: unknown error general SOCKS server failure 2022-06-09 03:30:26.233 [WRN] BTCN: Query(0) from peer nlr2mdf6abvsbgw7dgtez4u6undqqsdq7h3mdmbv6s2rmbngt65oyeqd.onion:8333 failed, rescheduling: did not get response before timeout 2022-06-09 03:30:30.234 [WRN] BTCN: Query(0) from peer nlr2mdf6abvsbgw7dgtez4u6undqqsdq7h3mdmbv6s2rmbngt65oyeqd.onion:8333 failed, rescheduling: did not get response before timeout 2022-06-09 03:30:32.945 [INF] SRVR: Established connection to: 027578e823ce91a00ef9576d3d24e0a21abfa3332ba186654730a0c8804cbb844b@ned4njr6bgdyuxdexi2fglhe2susdz4vlk6ko7u7hie64sjlet3revid.onion:9735 2022-06-09 03:30:32.945 [INF] SRVR: Finalizing connection to 027578e823ce91a00ef9576d3d24e0a21abfa3332ba186654730a0c8804cbb844b@ned4njr6bgdyuxdexi2fglhe2susdz4vlk6ko7u7hie64sjlet3revid.onion:9735, inbound=false 2022-06-09 03:30:35.615 [INF] PEER: Negotiated chan series queries with 027578e823ce91a00ef9576d3d24e0a21abfa3332ba186654730a0c8804cbb844b 2022-06-09 03:30:35.615 [INF] NTFN: New block epoch subscription 2022-06-09 03:30:35.615 [INF] DISC: Creating new GossipSyncer for peer=027578e823ce91a00ef9576d3d24e0a21abfa3332ba186654730a0c8804cbb844b 2022-06-09 03:30:37.071 [WRN] BTCN: Query(1) from peer 7iph33sxfyyv72zf62xh4ki4oflqb33iolrn5tecquldda2kezuk57qd.onion:8333 failed, rescheduling: did not get response before timeout 2022-06-09 03:30:38.235 [WRN] BTCN: Query(0) from peer nlr2mdf6abvsbgw7dgtez4u6undqqsdq7h3mdmbv6s2rmbngt65oyeqd.onion:8333 failed, rescheduling: did not get response before timeout 2022-06-09 03:30:41.071 [WRN] BTCN: Query(1) from peer 7iph33sxfyyv72zf62xh4ki4oflqb33iolrn5tecquldda2kezuk57qd.onion:8333 failed, rescheduling: did not get response before timeout 2022-06-09 03:30:45.146 [WRN] BTCN: Query(2) from peer f2uu2ppcs6i6d4xq7aogi3s7rtwkjhpyfsg7l5inq7iaa3tke5fh5cad.onion:8333 failed, rescheduling: did not get response before timeout 2022-06-09 03:30:46.347 [ERR] DISC: Unable to query bootstrapper BOLT-0010 DNS Seed: [[nodes.lightning.directory soa.nodes.lightning.directory] [lseed.bitcoinstats.com ]]: tor host is unreachable 2022-06-09 03:30:46.347 [INF] DISC: Attempting to bootstrap with: Authenticated Channel Graph 2022-06-09 03:30:46.354 [INF] DISC: Obtained 2 addrs to bootstrap network with 2022-06-09 03:30:49.073 [WRN] BTCN: Query(1) from peer 7iph33sxfyyv72zf62xh4ki4oflqb33iolrn5tecquldda2kezuk57qd.onion:8333 failed, rescheduling: did not get response before timeout 2022-06-09 03:30:49.073 [WRN] BTCN: Query(1) failed with error: did not get response before timeout. Timing out. 2022-06-09 03:30:49.148 [WRN] BTCN: Query(2) from peer f2uu2ppcs6i6d4xq7aogi3s7rtwkjhpyfsg7l5inq7iaa3tke5fh5cad.onion:8333 failed, rescheduling: did not get response before timeout 2022-06-09 03:30:49.148 [WRN] BTCN: Query(2) failed with error: did not get response before timeout. Timing out. 2022-06-09 03:30:51.189 [WRN] BTCN: Query(3) from peer 7iph33sxfyyv72zf62xh4ki4oflqb33iolrn5tecquldda2kezuk57qd.onion:8333 failed, rescheduling: did not get response before timeout 2022-06-09 03:30:51.189 [WRN] BTCN: Query(3) failed with error: did not get response before timeout. Timing out. 2022-06-09 03:30:52.761 [WRN] BTCN: Query(4) from peer 53h7mge4guchpwzdeg5dlizuiadmbxfqumsjnzlzktdyk5uzn6vxk7ad.onion:8333 failed, rescheduling: did not get response before timeout
And this continues in loop
N.B. - Before setting up the ipv4tables.sh firewall, the wallet has connected to the network and been set, and a wallet had funds in it, small amount, to prep channels. So this has connected before, but I have since been configuring tor, setting the hidden service on port 6969, with the goal of having a dedicated address as it is in "hostname" in the [HiddenServiceDir] on port 6969
I have tried so many configurations and it seems nothing is allowing inbound peer connections over tor. This includes separating the tor Socks proxy ports to 9050 and 9052 to avoid conflicting routing between bitcoind and lnd.
I have tried omitting the customer 6969 port in favor of only a 9735 port
I may be making error in the lnd.conf, where there isn't typically sufficient documentation describing every flag in the lnd.conf and how to utilize it correctly - This might be a helpful addition since I may have set some of this wrong
Otherwise, the wallet connected with tor.active=1 tor.streamisolation=true and tor.v3=true and has already made 3 channel peers since the firewall was put in place.
Changes since are the ipv4 script, settling restlisten=127.0.0.1:8081 because I will need a separate port for this from 8080, adding a second proxy listener on 9052, and adding tor.targetipaddress=127.0.0.1 which wasn't included beforehand.
I added tor.dns as noted above, and added tcp both in and out through the firewall script, since I noted the tcp on port 53 is used to do dns by lnd. Then of course set the default configuration here (hopefully properly)
listen localhost was more carefully located to localhost:9735 instead of just localhost, to designate the default port
externalip was previously an onion address the same as bitcoind, I have since separated the hidden service directory and port from any other uses of the service, so a new externalip was generated into hostname:6969 (I have tried setting this to 9735, with a goal of 6969 for added privacy
tor.privatekeypath was relocated, for added privacy
tor.control and tor.socks were explicitly designated and of course the socks port was changed to 9052
Actual behavior is all ports are actually working as intended, but lnd is not configured correctly to proxy with tor socks. Tor socks are working, but lnd cannot communicate with them correctly, or the hostname and port are not configured correctly. Something is otherwise blocking and's ability to accept inbound connections with tor proxy. I am not noticing yet but outbound are likely an issue also.
Thanks in advance.
Goals -
I will make a small final note, that if I can get this to pass properly, I would like to submit this ipv4 firewall script both to the original creator and to the lnd community for the purposes of assisting others in creating a firewall in their iptables.
Also the lnd.conf and bitcoin.conf configuration could be used for tor isolation of both nodes within that firewall. Of course there are still custom fittings here for anyone and everyone, but my hope is this will be a helpful script for a firewall, and a better standby in terms of creating added tor privacy of both nodes.
A goal here also is a persistent .onion address on a different port, so users could employ static hostnames for their nodes, on separate proxies, for each of bitcoin and lightning, using tor-only routing.
I will soon after be testing the go tor setup for DNS. Since my test purposes (included in the ipv4 script) will allow separate rest wallet ports and 8080 web content port. I think the the DNS SRV capability of resolving an A AAAA and SRV records has a lot of opportunity in such an environment as I am creating, to add on various http web content serving plugins (Zap, BTCPay, LnBits, etc) as well as hidden services on additional ports, which can proxy the web content, and then have the Go Tor DNS resolver turn it back into an A AAAA or SRV record.
My model of use would be to create a firewall remote point of extrapolated plugins/wallet interfaces that are all tor hidden, and the tor DNS routed, so a DNS record on any general use domain can point to a remote hidden server, inclusive of the plug-in interfaces or related web content.
My inputs would be to help create the firewall, configuration templates, and setup methods to model this solution. so other users could effectively create payment interfaces on nodes entirely on hidden service and tor. And routed back to a webpage with DNS, for pure privacy once an end customer hits a payment gateway.
Appreciate the input!