Re: masquerade error

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: J Webster <jw.jwebster@gmail.com>
To: "Rob Sterenborg (lists)" <lists@sterenborg.info>,
	netfilter@vger.kernel.org
Subject: Re: masquerade error
Date: Fri, 14 Oct 2011 12:45:01 +0100	[thread overview]
Message-ID: <4E9820BD.7030503@googlemail.com> (raw)
In-Reply-To: <1318588039.3179.16.camel@ns014530.dcyb.net>

Thanks - I will swap those around for the moment and try some things.
For reference, in case there are any obvious problems, my ifconfig, 
route, iptbales, and openvpn.coinf are here:

[B]IFCONFIG:[/B]
[root@vps8259 ~]# ifconfig
lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:319 errors:0 dropped:0 overruns:0 frame:0
           TX packets:319 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:39513 (38.5 KiB)  TX bytes:39513 (38.5 KiB)

tun0      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:172.16.0.1  P-t-P:172.16.0.2  Mask:255.255.255.255
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1460  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tun1      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

venet0    Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  
Mask:255.255.255.255
           UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
           RX packets:147594 errors:0 dropped:0 overruns:0 frame:0
           TX packets:148686 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:89417786 (85.2 MiB)  TX bytes:82468044 (78.6 MiB)

venet0:0  Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:192.xxx.xx.xx  P-t-P:192.xxx.xx.xx  
Bcast:192.xxx.xx.xx  Mask:255.255.255.255
           UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1


[B]OPENVPN.CONF[/B] (I have a udp service also but one thing at a time)

port 1194
proto tcp
dev tun
;crl-verify /etc/openvpn/easy-rsa/crl.pem
client-config-dir /etc/openvpn/ccd
ca /etc/openvpn/easy-rsa/ca.crt
cert /etc/openvpn/easy-rsa/ovpnsrv1.crt
key /etc/openvpn/easy-rsa/ovpnsrv1.key
dh /etc/openvpn/easy-rsa/dh1024.pem
server 172.16.0.0 255.255.255.0
push "redirect-gateway"
push "dhcp-option DNS 213.171.192.249"
push "dhcp-option DNS 213.171.192.245"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
tun-mtu 1460
persist-key
persist-tun
status openvpn-status.log
verb 3
;duplicate-cn # (this means several users can use the same key)
log /var/log/openvpn.log


[B]IPTABLES[/B]

# Generated by iptables-save v1.3.5 on Fri Sep 16 04:59:49 2011
*mangle
:PREROUTING ACCEPT [19588:10233482]
:INPUT ACCEPT [19588:10233482]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18858:10334564]
#-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o venet0 -j SNAT --to-source 
192.xxx.xx.xx
#-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o venet0 -j SNAT 
--to-source 192.xxx.xx.xx
:POSTROUTING ACCEPT [18858:10334564]
COMMIT
# Completed on Fri Sep 16 04:59:49 2011
# Generated by iptables-save v1.3.5 on Fri Sep 16 04:59:49 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18851:10333352]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8002 -m state --state NEW 
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 9001 -m state --state NEW 
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -m state --state 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Sep 16 04:59:49 2011
# Generated by iptables-save v1.3.5 on Fri Sep 16 04:59:49 2011
*nat
:PREROUTING ACCEPT [1234:59200]
:POSTROUTING ACCEPT [338:21268]
:OUTPUT ACCEPT [338:21268]
COMMIT
# Completed on Fri Sep 16 04:59:49 2011


[B]ROUTE[/B]

[root@vps8259 openvpn]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
172.16.0.2      *               255.255.255.255 UH    0      0        0 tun0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun1
172.16.0.0      172.16.0.2      255.255.255.0   UG    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun1
192.0.2.0       *               255.255.255.0   U     0      0        0 
venet0
169.254.0.0     *               255.255.0.0     U     0      0        0 
venet0
default         192.0.2.1       0.0.0.0         UG    0      0        0 
venet0

     prev parent reply	other threads:[~2011-10-14 11:45 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-10-11  7:01 masquerade error J Webster
2011-10-11 13:31 ` Jan Sarenik
2011-10-11 13:43 ` J Webster
2011-10-12 18:18   ` J Webster
2011-10-13 14:09     ` Jan Sarenik
2011-10-14  7:34     ` J Webster
2011-10-14  8:55       ` Rob Sterenborg (lists)
2011-10-14  9:05         ` Rob Sterenborg (lists)
     [not found]           ` <4E980738.5040202@googlemail.com>
2011-10-14  9:57             ` J Webster
2011-10-14 10:27               ` Rob Sterenborg (lists)
2011-10-14 11:45                 ` J Webster [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4E9820BD.7030503@googlemail.com \
    --to=jw.jwebster@gmail.com \
    --cc=lists@sterenborg.info \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox