1 |
On 03/12/2018 09:49, Michael Orlitzky wrote: |
2 |
> On 12/3/18 5:55 AM, Andrew Udvare wrote: |
3 |
>> |
4 |
>> iptables on server: |
5 |
>> -A FORWARD -s 10.100.0.0/24 -i tun0 -o enp1s0f0 -m conntrack --ctstate |
6 |
>> NEW -j ACCEPT |
7 |
>> |
8 |
> |
9 |
> Is that only forwarding packets for new (i.e. not existing) connections? |
10 |
|
11 |
Not sure but I do have a rule with using --ctstate ESTABLISHED,RELATED |
12 |
like yours. I even got rid of the interface argument in case that's a |
13 |
problem. The box is a router and has 2 NICs going, one for WAN and one |
14 |
for LAN. enp1s0f0 being the internet, and enp1s0f1 is for 192.168.1.0/24 |
15 |
|
16 |
When I'm connected to the VPN and I'm definitely not on my network, I |
17 |
can do things like `ssh 192.168.1.xxx` and it works. And HTTP works too. |
18 |
It's only port 53 that I am having trouble with. |
19 |
|
20 |
dnsmasq (listening only on enp1s0f1, 192 address) gets the request from |
21 |
the tun0 interface, which seems to route correctly to the 192 address. |
22 |
The response that dnsmasq creates (presumably) does not route back to |
23 |
the originating IP. |
24 |
|
25 |
Happy to provide any other configuration details and packet dumps if it |
26 |
helps. |
27 |
|
28 |
Full iptables (I use a script to reset to sane state, suggestions welcome): |
29 |
|
30 |
-P INPUT DROP |
31 |
-P FORWARD DROP |
32 |
-P OUTPUT ACCEPT |
33 |
-N DOCKER |
34 |
-N DOCKER-ISOLATION-STAGE-1 |
35 |
-N DOCKER-ISOLATION-STAGE-2 |
36 |
-N DOCKER-USER |
37 |
-N SCANS |
38 |
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state |
39 |
--state NEW -j DROP |
40 |
-A INPUT -f -j DROP |
41 |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG |
42 |
FIN,SYN,RST,PSH,ACK,URG -j DROP |
43 |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP |
44 |
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set |
45 |
--name BLACKLIST --mask 255.255.255.255 --rsource |
46 |
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent |
47 |
--update --seconds 10 --hitcount 10 --rttl --name BLACKLIST --mask |
48 |
255.255.255.255 --rsource -j DROP |
49 |
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
50 |
-A INPUT -m conntrack --ctstate INVALID -j DROP |
51 |
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED |
52 |
-j ACCEPT |
53 |
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED |
54 |
-j ACCEPT |
55 |
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate |
56 |
NEW,ESTABLISHED -j ACCEPT |
57 |
-A INPUT -p tcp -m tcp --dport 9222 -m conntrack --ctstate |
58 |
NEW,ESTABLISHED -j ACCEPT |
59 |
-A INPUT -p udp -m udp --dport 67 -m conntrack --ctstate NEW,ESTABLISHED |
60 |
-j ACCEPT |
61 |
-A INPUT -p udp -m udp --dport 68 -m conntrack --ctstate NEW,ESTABLISHED |
62 |
-j ACCEPT |
63 |
-A INPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED |
64 |
-j ACCEPT |
65 |
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT |
66 |
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with |
67 |
icmp-port-unreachable |
68 |
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 3306 -m conntrack |
69 |
--ctstate NEW,ESTABLISHED -j ACCEPT |
70 |
-A INPUT -s 192.168.1.0/24 -p udp -m conntrack --ctstate NEW,ESTABLISHED |
71 |
-m udp --dport 137 -j ACCEPT |
72 |
-A INPUT -s 192.168.1.0/24 -p udp -m conntrack --ctstate NEW,ESTABLISHED |
73 |
-m udp --dport 138 -j ACCEPT |
74 |
-A INPUT -s 192.168.1.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED |
75 |
-m tcp --dport 139 -j ACCEPT |
76 |
-A INPUT -s 192.168.1.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED |
77 |
-m tcp --dport 445 -j ACCEPT |
78 |
-A INPUT -p tcp -m tcp --dport 4242 -m conntrack --ctstate |
79 |
NEW,ESTABLISHED -j ACCEPT |
80 |
-A INPUT -s 192.168.1.0/24 -i enp1s0f1 -p udp -m udp --dport 5353 -m |
81 |
conntrack --ctstate NEW,ESTABLISHED -j ACCEPT |
82 |
-A INPUT -p udp -m udp --dport 12112 -m conntrack --ctstate |
83 |
NEW,ESTABLISHED -j ACCEPT |
84 |
-A INPUT -s 205.171.2.64/32 -p ipv6 -j ACCEPT |
85 |
-A INPUT -i lo -j ACCEPT |
86 |
-A FORWARD -j DOCKER-USER |
87 |
-A FORWARD -j DOCKER-ISOLATION-STAGE-1 |
88 |
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
89 |
-A FORWARD -o docker0 -j DOCKER |
90 |
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT |
91 |
-A FORWARD -i docker0 -o docker0 -j ACCEPT |
92 |
-A FORWARD -i enp1s0f1 -j ACCEPT |
93 |
-A FORWARD -i enp2s0 -j ACCEPT |
94 |
-A FORWARD -i enp1s0f0 -j ACCEPT |
95 |
-A FORWARD -i br0 -j ACCEPT |
96 |
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
97 |
-A FORWARD -s 10.100.0.0/24 -j ACCEPT |
98 |
-A FORWARD -i tun0 -j ACCEPT |
99 |
-A OUTPUT -o lo -j ACCEPT |
100 |
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j |
101 |
DOCKER-ISOLATION-STAGE-2 |
102 |
-A DOCKER-ISOLATION-STAGE-1 -j RETURN |
103 |
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP |
104 |
-A DOCKER-ISOLATION-STAGE-2 -j RETURN |
105 |
-A DOCKER-USER -j RETURN |
106 |
-A SCANS -p tcp -m tcp --tcp-flags FIN,PSH,URG FIN,PSH,URG -j DROP |
107 |
-A SCANS -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG |
108 |
FIN,SYN,RST,PSH,ACK,URG -j DROP |
109 |
-A SCANS -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP |
110 |
-A SCANS -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP |
111 |
|
112 |
iptables -nat --list-rules: |
113 |
|
114 |
-P PREROUTING ACCEPT |
115 |
-P INPUT ACCEPT |
116 |
-P OUTPUT ACCEPT |
117 |
-P POSTROUTING ACCEPT |
118 |
-N DOCKER |
119 |
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER |
120 |
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER |
121 |
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE |
122 |
-A POSTROUTING -s 10.100.0.0/24 -j MASQUERADE |
123 |
-A POSTROUTING -j MASQUERADE |
124 |
-A DOCKER -i docker0 -j RETURN |
125 |
|
126 |
-- |
127 |
Andrew |