Gentoo Archives: gentoo-user

From:	Andrew Udvare <audvare@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Routing issue with OpenVPN and internal DNS
Date:	Tue, 04 Dec 2018 02:27:09
Message-Id:	`151fe200-8d2f-beec-170a-2be7b70f9dd3@gmail.com`
In Reply to:	Re: [gentoo-user] Routing issue with OpenVPN and internal DNS by Michael Orlitzky

1	On 03/12/2018 09:49, Michael Orlitzky wrote:
2	> On 12/3/18 5:55 AM, Andrew Udvare wrote:
3	>>
4	>> iptables on server:
5	>> -A FORWARD -s 10.100.0.0/24 -i tun0 -o enp1s0f0 -m conntrack --ctstate
6	>> NEW -j ACCEPT
7	>>
8	>
9	> Is that only forwarding packets for new (i.e. not existing) connections?
10
11	Not sure but I do have a rule with using --ctstate ESTABLISHED,RELATED
12	like yours. I even got rid of the interface argument in case that's a
13	problem. The box is a router and has 2 NICs going, one for WAN and one
14	for LAN. enp1s0f0 being the internet, and enp1s0f1 is for 192.168.1.0/24
15
16	When I'm connected to the VPN and I'm definitely not on my network, I
17	can do things like `ssh 192.168.1.xxx` and it works. And HTTP works too.
18	It's only port 53 that I am having trouble with.
19
20	dnsmasq (listening only on enp1s0f1, 192 address) gets the request from
21	the tun0 interface, which seems to route correctly to the 192 address.
22	The response that dnsmasq creates (presumably) does not route back to
23	the originating IP.
24
25	Happy to provide any other configuration details and packet dumps if it
26	helps.
27
28	Full iptables (I use a script to reset to sane state, suggestions welcome):
29
30	-P INPUT DROP
31	-P FORWARD DROP
32	-P OUTPUT ACCEPT
33	-N DOCKER
34	-N DOCKER-ISOLATION-STAGE-1
35	-N DOCKER-ISOLATION-STAGE-2
36	-N DOCKER-USER
37	-N SCANS
38	-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
39	--state NEW -j DROP
40	-A INPUT -f -j DROP
41	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
42	FIN,SYN,RST,PSH,ACK,URG -j DROP
43	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
44	-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
45	--name BLACKLIST --mask 255.255.255.255 --rsource
46	-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
47	--update --seconds 10 --hitcount 10 --rttl --name BLACKLIST --mask
48	255.255.255.255 --rsource -j DROP
49	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
50	-A INPUT -m conntrack --ctstate INVALID -j DROP
51	-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED
52	-j ACCEPT
53	-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED
54	-j ACCEPT
55	-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate
56	NEW,ESTABLISHED -j ACCEPT
57	-A INPUT -p tcp -m tcp --dport 9222 -m conntrack --ctstate
58	NEW,ESTABLISHED -j ACCEPT
59	-A INPUT -p udp -m udp --dport 67 -m conntrack --ctstate NEW,ESTABLISHED
60	-j ACCEPT
61	-A INPUT -p udp -m udp --dport 68 -m conntrack --ctstate NEW,ESTABLISHED
62	-j ACCEPT
63	-A INPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED
64	-j ACCEPT
65	-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
66	-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with
67	icmp-port-unreachable
68	-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 3306 -m conntrack
69	--ctstate NEW,ESTABLISHED -j ACCEPT
70	-A INPUT -s 192.168.1.0/24 -p udp -m conntrack --ctstate NEW,ESTABLISHED
71	-m udp --dport 137 -j ACCEPT
72	-A INPUT -s 192.168.1.0/24 -p udp -m conntrack --ctstate NEW,ESTABLISHED
73	-m udp --dport 138 -j ACCEPT
74	-A INPUT -s 192.168.1.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED
75	-m tcp --dport 139 -j ACCEPT
76	-A INPUT -s 192.168.1.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED
77	-m tcp --dport 445 -j ACCEPT
78	-A INPUT -p tcp -m tcp --dport 4242 -m conntrack --ctstate
79	NEW,ESTABLISHED -j ACCEPT
80	-A INPUT -s 192.168.1.0/24 -i enp1s0f1 -p udp -m udp --dport 5353 -m
81	conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
82	-A INPUT -p udp -m udp --dport 12112 -m conntrack --ctstate
83	NEW,ESTABLISHED -j ACCEPT
84	-A INPUT -s 205.171.2.64/32 -p ipv6 -j ACCEPT
85	-A INPUT -i lo -j ACCEPT
86	-A FORWARD -j DOCKER-USER
87	-A FORWARD -j DOCKER-ISOLATION-STAGE-1
88	-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
89	-A FORWARD -o docker0 -j DOCKER
90	-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
91	-A FORWARD -i docker0 -o docker0 -j ACCEPT
92	-A FORWARD -i enp1s0f1 -j ACCEPT
93	-A FORWARD -i enp2s0 -j ACCEPT
94	-A FORWARD -i enp1s0f0 -j ACCEPT
95	-A FORWARD -i br0 -j ACCEPT
96	-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
97	-A FORWARD -s 10.100.0.0/24 -j ACCEPT
98	-A FORWARD -i tun0 -j ACCEPT
99	-A OUTPUT -o lo -j ACCEPT
100	-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j
101	DOCKER-ISOLATION-STAGE-2
102	-A DOCKER-ISOLATION-STAGE-1 -j RETURN
103	-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
104	-A DOCKER-ISOLATION-STAGE-2 -j RETURN
105	-A DOCKER-USER -j RETURN
106	-A SCANS -p tcp -m tcp --tcp-flags FIN,PSH,URG FIN,PSH,URG -j DROP
107	-A SCANS -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
108	FIN,SYN,RST,PSH,ACK,URG -j DROP
109	-A SCANS -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
110	-A SCANS -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
111
112	iptables -nat --list-rules:
113
114	-P PREROUTING ACCEPT
115	-P INPUT ACCEPT
116	-P OUTPUT ACCEPT
117	-P POSTROUTING ACCEPT
118	-N DOCKER
119	-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
120	-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
121	-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
122	-A POSTROUTING -s 10.100.0.0/24 -j MASQUERADE
123	-A POSTROUTING -j MASQUERADE
124	-A DOCKER -i docker0 -j RETURN
125
126	--
127	Andrew

Attachments

File name	MIME type
signature.asc	application/pgp-signature

Replies

Subject	Author
Re: [gentoo-user] Routing issue with OpenVPN and internal DNS	Bill Kenworthy <billk@×××××××××.au>
[gentoo-user] Routing issue with OpenVPN and internal DNS	Bill Kenworthy <billk@×××××××××.au>

Report Message

Find on MARC Find on Google Groups