On 03/12/2018 09:49, Michael Orlitzky wrote: > On 12/3/18 5:55 AM, Andrew Udvare wrote: >> >> iptables on server: >> -A FORWARD -s 10.100.0.0/24 -i tun0 -o enp1s0f0 -m conntrack --ctstate >> NEW -j ACCEPT >> > > Is that only forwarding packets for new (i.e. not existing) connections?
Not sure but I do have a rule with using --ctstate ESTABLISHED,RELATED like yours. I even got rid of the interface argument in case that's a problem. The box is a router and has 2 NICs going, one for WAN and one for LAN. enp1s0f0 being the internet, and enp1s0f1 is for 192.168.1.0/24 When I'm connected to the VPN and I'm definitely not on my network, I can do things like `ssh 192.168.1.xxx` and it works. And HTTP works too. It's only port 53 that I am having trouble with. dnsmasq (listening only on enp1s0f1, 192 address) gets the request from the tun0 interface, which seems to route correctly to the 192 address. The response that dnsmasq creates (presumably) does not route back to the originating IP. Happy to provide any other configuration details and packet dumps if it helps. Full iptables (I use a script to reset to sane state, suggestions welcome): -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION-STAGE-1 -N DOCKER-ISOLATION-STAGE-2 -N DOCKER-USER -N SCANS -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -f -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name BLACKLIST --mask 255.255.255.255 --rsource -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 --rttl --name BLACKLIST --mask 255.255.255.255 --rsource -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 9222 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 67 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 68 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.1.0/24 -p udp -m conntrack --ctstate NEW,ESTABLISHED -m udp --dport 137 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p udp -m conntrack --ctstate NEW,ESTABLISHED -m udp --dport 138 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 139 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 445 -j ACCEPT -A INPUT -p tcp -m tcp --dport 4242 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.1.0/24 -i enp1s0f1 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 12112 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -s 205.171.2.64/32 -p ipv6 -j ACCEPT -A INPUT -i lo -j ACCEPT -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -i enp1s0f1 -j ACCEPT -A FORWARD -i enp2s0 -j ACCEPT -A FORWARD -i enp1s0f0 -j ACCEPT -A FORWARD -i br0 -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.100.0.0/24 -j ACCEPT -A FORWARD -i tun0 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN -A SCANS -p tcp -m tcp --tcp-flags FIN,PSH,URG FIN,PSH,URG -j DROP -A SCANS -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP -A SCANS -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A SCANS -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -nat --list-rules: -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N DOCKER -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 10.100.0.0/24 -j MASQUERADE -A POSTROUTING -j MASQUERADE -A DOCKER -i docker0 -j RETURN -- Andrew
signature.asc
Description: OpenPGP digital signature
