* SYN packet "disappears"
@ 2017-04-27 5:21 Kevin
2017-04-27 15:04 ` Anton Danilov
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Kevin @ 2017-04-27 5:21 UTC (permalink / raw)
To: netfilter
Hi,
I'm having trouble changing my iptables configuration to work with a new
NordVPN/OpenVPN.
In trying to diagnose the problem, I have saturated my firewall with "-j LOG"
rules. The problem is that the initial SYN packet to TCP port 22 seems to go
missing between the "nat prerouting" and the "mangle input" chains.
Messy details (config & log) are at the end of this email.
My question is: Where did my SYN packet go?
The initial portion of my firewall is as follows:
#!/bin/bash
IPT="/sbin/iptables"
$IPT -F
$IPT -X
for table in filter mangle nat raw security; do
$IPT -F -t $table
$IPT -X -t $table
done
$IPT -t filter --policy INPUT DROP
$IPT -t filter --policy FORWARD DROP
$IPT -t filter --policy OUTPUT DROP
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy INPUT ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy INPUT ACCEPT
$IPT -t mangle --policy FORWARD ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT
$IPT -t mangle --policy POSTROUTING ACCEPT
$IPT -t raw --policy PREROUTING ACCEPT
$IPT -t raw --policy OUTPUT ACCEPT
$IPT -t security --policy INPUT ACCEPT
$IPT -t security --policy FORWARD ACCEPT
$IPT -t security --policy OUTPUT ACCEPT
$IPT -t filter -A INPUT -i tun+ -s 999.999.999.999 -p tcp --dport 22 -j
LOG --log-prefix "ssh filter input tun: "
$IPT -t filter -A FORWARD -i tun+ -s 999.999.999.999 -p tcp --dport 22 -j
LOG --log-prefix "ssh filter forward tun: "
$IPT -t filter -A OUTPUT -o tun+ -d 999.999.999.999 -p tcp --dport 22 -j
LOG --log-prefix "ssh filter output tun: "
$IPT -t filter -A FORWARD -p tcp --dport 22 -j LOG --log-prefix "ssh
filter forward: "
$IPT -t filter -A INPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
filter input: "
$IPT -t filter -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
filter output: "
$IPT -t mangle -A FORWARD -p tcp --dport 22 -j LOG --log-prefix "ssh
mangle forward: "
$IPT -t mangle -A INPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
mangle input: "
$IPT -t mangle -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
mangle output: "
$IPT -t mangle -A POSTROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh
mangle postrouting: "
$IPT -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh
mangle prerouting: "
$IPT -t nat -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh nat
prerouting: "
$IPT -t nat -A POSTROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh nat
postrouting: "
$IPT -t raw -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh raw
prerouting: "
$IPT -t raw -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix "ssh raw
output: "
$IPT -t security -A INPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
security input: "
$IPT -t security -A FORWARD -p tcp --dport 22 -j LOG --log-prefix "ssh
security forward: "
$IPT -t security -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
security output: "
$IPT -A INPUT -i tun+ -s 999.999.999.999 -j ACCEPT
$IPT -A FORWARD -i tun+ -s 999.999.999.999 -j ACCEPT
$IPT -A OUTPUT -o tun+ -d 999.999.999.999 -j ACCEPT
The resulting log entries are as follows (slightly edited for security):
ssh raw prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40283 DF
PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
ssh mangle prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40283 DF
PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
ssh nat prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40283 DF
PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
<then the following retry>
ssh raw prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40284 DF
PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
ssh mangle prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40284 DF
PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
ssh nat prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40284 DF
PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
... and so on.
Cheers,
Kevin
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SYN packet "disappears"
2017-04-27 5:21 SYN packet "disappears" Kevin
@ 2017-04-27 15:04 ` Anton Danilov
2017-04-27 15:08 ` Noel Kuntze
2017-04-28 1:00 ` Robert White
2 siblings, 0 replies; 6+ messages in thread
From: Anton Danilov @ 2017-04-27 15:04 UTC (permalink / raw)
To: Kevin; +Cc: netfilter
Hello.
Could you provide the output of 'iptables-save -c' command?
2017-04-27 8:21 GMT+03:00 Kevin <kmg952@bigpond.com>:
> Hi,
>
> I'm having trouble changing my iptables configuration to work with a new
> NordVPN/OpenVPN.
>
> In trying to diagnose the problem, I have saturated my firewall with "-j LOG"
> rules. The problem is that the initial SYN packet to TCP port 22 seems to go
> missing between the "nat prerouting" and the "mangle input" chains.
>
> Messy details (config & log) are at the end of this email.
>
> My question is: Where did my SYN packet go?
>
> The initial portion of my firewall is as follows:
>
> #!/bin/bash
>
> IPT="/sbin/iptables"
>
> $IPT -F
> $IPT -X
>
> for table in filter mangle nat raw security; do
> $IPT -F -t $table
> $IPT -X -t $table
> done
>
> $IPT -t filter --policy INPUT DROP
> $IPT -t filter --policy FORWARD DROP
> $IPT -t filter --policy OUTPUT DROP
>
> $IPT -t nat --policy PREROUTING ACCEPT
> $IPT -t nat --policy INPUT ACCEPT
> $IPT -t nat --policy OUTPUT ACCEPT
> $IPT -t nat --policy POSTROUTING ACCEPT
>
> $IPT -t mangle --policy PREROUTING ACCEPT
> $IPT -t mangle --policy INPUT ACCEPT
> $IPT -t mangle --policy FORWARD ACCEPT
> $IPT -t mangle --policy OUTPUT ACCEPT
> $IPT -t mangle --policy POSTROUTING ACCEPT
>
> $IPT -t raw --policy PREROUTING ACCEPT
> $IPT -t raw --policy OUTPUT ACCEPT
>
> $IPT -t security --policy INPUT ACCEPT
> $IPT -t security --policy FORWARD ACCEPT
> $IPT -t security --policy OUTPUT ACCEPT
>
> $IPT -t filter -A INPUT -i tun+ -s 999.999.999.999 -p tcp --dport 22 -j
> LOG --log-prefix "ssh filter input tun: "
> $IPT -t filter -A FORWARD -i tun+ -s 999.999.999.999 -p tcp --dport 22 -j
> LOG --log-prefix "ssh filter forward tun: "
> $IPT -t filter -A OUTPUT -o tun+ -d 999.999.999.999 -p tcp --dport 22 -j
> LOG --log-prefix "ssh filter output tun: "
>
> $IPT -t filter -A FORWARD -p tcp --dport 22 -j LOG --log-prefix "ssh
> filter forward: "
> $IPT -t filter -A INPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
> filter input: "
> $IPT -t filter -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
> filter output: "
>
> $IPT -t mangle -A FORWARD -p tcp --dport 22 -j LOG --log-prefix "ssh
> mangle forward: "
> $IPT -t mangle -A INPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
> mangle input: "
> $IPT -t mangle -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
> mangle output: "
> $IPT -t mangle -A POSTROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh
> mangle postrouting: "
> $IPT -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh
> mangle prerouting: "
>
> $IPT -t nat -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh nat
> prerouting: "
> $IPT -t nat -A POSTROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh nat
> postrouting: "
>
> $IPT -t raw -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh raw
> prerouting: "
> $IPT -t raw -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix "ssh raw
> output: "
>
> $IPT -t security -A INPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
> security input: "
> $IPT -t security -A FORWARD -p tcp --dport 22 -j LOG --log-prefix "ssh
> security forward: "
> $IPT -t security -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
> security output: "
>
> $IPT -A INPUT -i tun+ -s 999.999.999.999 -j ACCEPT
> $IPT -A FORWARD -i tun+ -s 999.999.999.999 -j ACCEPT
> $IPT -A OUTPUT -o tun+ -d 999.999.999.999 -j ACCEPT
>
> The resulting log entries are as follows (slightly edited for security):
>
> ssh raw prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
> DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40283 DF
> PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
> ssh mangle prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
> DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40283 DF
> PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
> ssh nat prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
> DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40283 DF
> PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
>
> <then the following retry>
>
> ssh raw prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
> DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40284 DF
> PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
> ssh mangle prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
> DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40284 DF
> PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
> ssh nat prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
> DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40284 DF
> PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
>
> ... and so on.
>
> Cheers,
> Kevin
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Anton.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SYN packet "disappears"
2017-04-27 5:21 SYN packet "disappears" Kevin
2017-04-27 15:04 ` Anton Danilov
@ 2017-04-27 15:08 ` Noel Kuntze
2017-04-27 23:15 ` Kevin
2017-04-28 1:00 ` Robert White
2 siblings, 1 reply; 6+ messages in thread
From: Noel Kuntze @ 2017-04-27 15:08 UTC (permalink / raw)
To: Kevin, netfilter
Am 27. April 2017 07:21:14 MESZ schrieb Kevin <kmg952@bigpond.com>:
>Hi,
>
>I'm having trouble changing my iptables configuration to work with a
>new
>NordVPN/OpenVPN.
>
>In trying to diagnose the problem, I have saturated my firewall with
>"-j LOG"
>rules. The problem is that the initial SYN packet to TCP port 22 seems
>to go
>missing between the "nat prerouting" and the "mangle input" chains.
That's where the routing decision is and the rp_filter. It likely drops the packets because they're martians. That's a good thing. Fix your routing on the host.
>
>Messy details (config & log) are at the end of this email.
>
>My question is: Where did my SYN packet go?
>
>The initial portion of my firewall is as follows:
>
>#!/bin/bash
>
>IPT="/sbin/iptables"
>
>$IPT -F
>$IPT -X
>
>for table in filter mangle nat raw security; do
> $IPT -F -t $table
> $IPT -X -t $table
>done
>
>$IPT -t filter --policy INPUT DROP
>$IPT -t filter --policy FORWARD DROP
>$IPT -t filter --policy OUTPUT DROP
>
>$IPT -t nat --policy PREROUTING ACCEPT
>$IPT -t nat --policy INPUT ACCEPT
>$IPT -t nat --policy OUTPUT ACCEPT
>$IPT -t nat --policy POSTROUTING ACCEPT
>
>$IPT -t mangle --policy PREROUTING ACCEPT
>$IPT -t mangle --policy INPUT ACCEPT
>$IPT -t mangle --policy FORWARD ACCEPT
>$IPT -t mangle --policy OUTPUT ACCEPT
>$IPT -t mangle --policy POSTROUTING ACCEPT
>
>$IPT -t raw --policy PREROUTING ACCEPT
>$IPT -t raw --policy OUTPUT ACCEPT
>
>$IPT -t security --policy INPUT ACCEPT
>$IPT -t security --policy FORWARD ACCEPT
>$IPT -t security --policy OUTPUT ACCEPT
>
>$IPT -t filter -A INPUT -i tun+ -s 999.999.999.999 -p tcp --dport
>22 -j
>LOG --log-prefix "ssh filter input tun: "
>$IPT -t filter -A FORWARD -i tun+ -s 999.999.999.999 -p tcp --dport
>22 -j
>LOG --log-prefix "ssh filter forward tun: "
>$IPT -t filter -A OUTPUT -o tun+ -d 999.999.999.999 -p tcp --dport
>22 -j
>LOG --log-prefix "ssh filter output tun: "
>
>$IPT -t filter -A FORWARD -p tcp --dport 22 -j LOG --log-prefix
>"ssh
>filter forward: "
>$IPT -t filter -A INPUT -p tcp --dport 22 -j LOG --log-prefix
>"ssh
>filter input: "
>$IPT -t filter -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix
>"ssh
>filter output: "
>
>$IPT -t mangle -A FORWARD -p tcp --dport 22 -j LOG --log-prefix
>"ssh
>mangle forward: "
>$IPT -t mangle -A INPUT -p tcp --dport 22 -j LOG --log-prefix
>"ssh
>mangle input: "
>$IPT -t mangle -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix
>"ssh
>mangle output: "
>$IPT -t mangle -A POSTROUTING -p tcp --dport 22 -j LOG --log-prefix
>"ssh
>mangle postrouting: "
>$IPT -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix
>"ssh
>mangle prerouting: "
>
>$IPT -t nat -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix
>"ssh nat
>prerouting: "
>$IPT -t nat -A POSTROUTING -p tcp --dport 22 -j LOG --log-prefix
>"ssh nat
>postrouting: "
>
>$IPT -t raw -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix
>"ssh raw
>prerouting: "
>$IPT -t raw -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix
>"ssh raw
>output: "
>
>$IPT -t security -A INPUT -p tcp --dport 22 -j LOG --log-prefix
>"ssh
>security input: "
>$IPT -t security -A FORWARD -p tcp --dport 22 -j LOG --log-prefix
>"ssh
>security forward: "
>$IPT -t security -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix
>"ssh
>security output: "
>
>$IPT -A INPUT -i tun+ -s 999.999.999.999 -j ACCEPT
>$IPT -A FORWARD -i tun+ -s 999.999.999.999 -j ACCEPT
>$IPT -A OUTPUT -o tun+ -d 999.999.999.999 -j ACCEPT
>
>The resulting log entries are as follows (slightly edited for
>security):
>
>ssh raw prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
>DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40283 DF
>PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
>ssh mangle prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
>DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40283 DF
>PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
>ssh nat prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
>DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40283 DF
>PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
>
><then the following retry>
>
>ssh raw prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
>DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40284 DF
>PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
>ssh mangle prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
>DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40284 DF
>PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
>ssh nat prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
>DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40284 DF
>PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
>
>... and so on.
>
>Cheers,
>Kevin
>
>--
>To unsubscribe from this list: send the line "unsubscribe netfilter" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Sent from mobile
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SYN packet "disappears"
2017-04-27 15:08 ` Noel Kuntze
@ 2017-04-27 23:15 ` Kevin
0 siblings, 0 replies; 6+ messages in thread
From: Kevin @ 2017-04-27 23:15 UTC (permalink / raw)
To: netfilter
On Friday, 28 April 2017 1:08:27 AM AEST Noel Kuntze wrote:
> Am 27. April 2017 07:21:14 MESZ schrieb Kevin <kmg952@bigpond.com>:
> >Hi,
> >
> >I'm having trouble changing my iptables configuration to work with a
> >new
> >NordVPN/OpenVPN.
> >
> >In trying to diagnose the problem, I have saturated my firewall with
> >"-j LOG"
> >rules. The problem is that the initial SYN packet to TCP port 22 seems
> >to go
> >missing between the "nat prerouting" and the "mangle input" chains.
>
> That's where the routing decision is and the rp_filter. It likely drops the
> packets because they're martians. That's a good thing. Fix your routing on
> the host.
That was the problem! I was not aware of rp-filter. As I'm running Fedora I've
echo'd 2 to the relevant /proc rp-filter files.
Sadly, that hasn't solved my initial problem - but that's not an iptables
problem.
Thanks for your help - all I needed was that one keyword.
Kevin
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SYN packet "disappears"
2017-04-27 5:21 SYN packet "disappears" Kevin
2017-04-27 15:04 ` Anton Danilov
2017-04-27 15:08 ` Noel Kuntze
@ 2017-04-28 1:00 ` Robert White
2017-04-28 2:55 ` Kevin
2 siblings, 1 reply; 6+ messages in thread
From: Robert White @ 2017-04-28 1:00 UTC (permalink / raw)
To: Kevin, netfilter
On 04/27/17 05:21, Kevin wrote:
> (... DROP rules and a tun+ device but virtually no rules that ACCEPT the packet so it can get into the tun+ device ...)
So you've got these policies...
> $IPT -t filter --policy INPUT DROP
> $IPT -t filter --policy FORWARD DROP
> $IPT -t filter --policy OUTPUT DROP
And you've got these post TUN/TAP decode rules
> $IPT -A INPUT -i tun+ -s 999.999.999.999 -j ACCEPT
> $IPT -A FORWARD -i tun+ -s 999.999.999.999 -j ACCEPT
> $IPT -A OUTPUT -o tun+ -d 999.999.999.999 -j ACCEPT
But you've got no
$IPT -A INPUT -i ethX (Whatever the tunnel needs) -j ACCEPT
So it's virtually impossible to see what you are doing with all these
logs, but those first three policy DROP rules pretty much mean that
you'll never get any packets as far as the TUN/TAP driver.
Without some rules letting packets to ACCEPT the tunnel traffic, the
tunnel driver never sees the packet to decode it for the later tunnel rules.
That tunnel allowance rule may need to be on both INPUT and OUTPUT, it
should list the --proto NN for the tunnel protocol, the remote and local
ip addresses of the tunnel participants in source and destination
(remember to reverse these for OUTPUT compared to INPUT).
You are also going to want an established/related rule at the head of
input and output.
Some tunnels need more than one protocol number (so more than one rule)
and some have parallel protocols for security.
But basically you've been explicitly dropping the packets with your
policies.
--Rob.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SYN packet "disappears"
2017-04-28 1:00 ` Robert White
@ 2017-04-28 2:55 ` Kevin
0 siblings, 0 replies; 6+ messages in thread
From: Kevin @ 2017-04-28 2:55 UTC (permalink / raw)
To: netfilter
On Friday, 28 April 2017 11:00:57 AM AEST Robert White wrote:
> On 04/27/17 05:21, Kevin wrote:
> > (... DROP rules and a tun+ device but virtually no rules that ACCEPT the
> > packet so it can get into the tun+ device ...)
> So you've got these policies...
>
> > $IPT -t filter --policy INPUT DROP
> > $IPT -t filter --policy FORWARD DROP
> > $IPT -t filter --policy OUTPUT DROP
>
> And you've got these post TUN/TAP decode rules
>
> > $IPT -A INPUT -i tun+ -s 999.999.999.999 -j ACCEPT
> > $IPT -A FORWARD -i tun+ -s 999.999.999.999 -j ACCEPT
> > $IPT -A OUTPUT -o tun+ -d 999.999.999.999 -j ACCEPT
>
> But you've got no
>
> $IPT -A INPUT -i ethX (Whatever the tunnel needs) -j ACCEPT
As I indicated in my original message, the rules I included were only the
initial rules in my configuration. My question was not so much why my VPN was
not working as expected by what happened to the packet. Why were the no log
entries on the mangle and filter input chains?
As per my previous message, that has been explained. I did not know about the
rp-filter mechanism. Those expected log entries now appear.
And, for the record, I did try with all chain policies as ACCEPT.
Cheers,
Kevin
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-04-28 2:55 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-27 5:21 SYN packet "disappears" Kevin
2017-04-27 15:04 ` Anton Danilov
2017-04-27 15:08 ` Noel Kuntze
2017-04-27 23:15 ` Kevin
2017-04-28 1:00 ` Robert White
2017-04-28 2:55 ` Kevin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox