Allowing Session to Connect to Oxen nodes

Session is an open-source messaging app that is based on Oxen platform. Apart from good privacy, it is unique in at least one another way — you need to configure your firewall if you use some stricter rules.

When I first installed session-dektop, I could not really connect to the Oxen node, which was not really that suprising because my firewall is probably unnecessarily strict, so almost nothing works unless I pay some attention to creating some rules.

However, I also use good enough logging, so I could see messages like so:

Feb 18 22:00:12 base kernel: iptables output dropped: IN= OUT=eth0 SRC=172.21.3.61 DST=68.183.183.63 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21844 DF PROTO=TCP SPT=47128 DPT=22021 WINDOW=64240 RES=0x00 SYN URGP=0

Destination port 22021, interesting.

I looked up into the docs where they share a section about firewall configuration. That was what I needed.

The rest was just a couple of rules in iptables. I can create a new chain for that:

-N oxen
-A oxen -j LOG --log-level 7 --log-prefix "oxen-node: "
-A oxen -j ACCEPT

and send only traffic going to those ports to this new channel:

-A OUTPUT -p tcp -m multiport --dports 22020,22021,22022,22025 -j oxen
-A OUTPUT -p udp --dport 1090 -j oxen

That did it, so I had no more trouble connection to the Oxen node:

Session connected to Oxen node

I don’t think this is something many people will have to solve since, I assume, many people have allowed output traffic through with no restrictions by default but if someone needs it, it’s fairly easy because the Oxen platform seems to be well-documented and finding this was a matter of minutes.