Help with iptables && tinc
Guillermo Bisheimer
gbisheimer at bys-control.com.ar
Mon Jan 30 15:43:27 CET 2017
Can you post your Tinc configuration too?
El lun., 30 ene. 2017 a las 11:42, Dave Albert (<dave.albert at gmail.com>)
escribió:
> Here is an extract of my current iptables that are not working:
>
> iptables -L -n -v
>
> Chain INPUT (policy DROP 8 packets, 1120 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- lo * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:3306
> 0 0 ACCEPT udp -- lo * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:3306
> 0 0 NRPE tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:5666
> 0 0 ACCEPT icmp -- * * x.x.x.x 0.0.0.0/0
> icmptype 8
> 0 0 ACCEPT icmp -- * * 127.0.0.1
> 0.0.0.0/0 icmptype 8
> 0 0 ACCEPT icmp -- * * 10.0.3.0/24
> 0.0.0.0/0 icmptype 8
> 0 0 ACCEPT tcp -- * * 10.0.3.0/24
> 0.0.0.0/0
> 0 0 ACCEPT udp -- * * 10.0.3.0/24
> 0.0.0.0/0
> 0 0 DROP icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmptype 8
> 0 0 ACCEPT icmp -- * * x.x.x.x 0.0.0.0/0
> icmptype 8
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:5666
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
> 192 13741 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:2222 state NEW,ESTABLISHED
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
> 0 0 ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- docker0 * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 udp spt:53
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 limit: avg 25/min burst 100
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:123
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:25
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:22 state ESTABLISHED
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:2222 state ESTABLISHED
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:655 state NEW,ESTABLISHED
> 6 8976 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:655 state NEW,ESTABLISHED
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:80 state ESTABLISHED
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:443 state ESTABLISHED
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- * docker0 0.0.0.0/0
> 172.17.0.0/16 ctstate RELATED,ESTABLISHED
> 0 0 ACCEPT all -- docker0 * 172.17.0.0/16
> 0.0.0.0/0
> 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 NRPE tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:5666
> 0 0 ACCEPT tcp -- * * 10.0.3.0/24
> 0.0.0.0/0
> 0 0 ACCEPT udp -- * * 10.0.3.0/24
> 0.0.0.0/0
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmptype 0
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:5666
> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
> 0.0.0.0/0 tcp spt:22 state ESTABLISHED
> 140 44173 ACCEPT tcp -- * eth0 0.0.0.0/0
> 0.0.0.0/0 tcp spt:2222 state ESTABLISHED
> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
> 0.0.0.0/0 tcp spt:80 state ESTABLISHED
> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
> 0.0.0.0/0 tcp spt:443 state ESTABLISHED
> 0 0 ACCEPT all -- * lo 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- * docker0 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT udp -- * eth0 0.0.0.0/0
> 0.0.0.0/0 udp dpt:53
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:123
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:25
> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:2222 state NEW,ESTABLISHED
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:655 state NEW,ESTABLISHED
> 6 8976 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:655 state NEW,ESTABLISHED
> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
>
> Chain NRPE (2 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> x.x.x.x
> 0 0 ACCEPT all -- * * x.x.x.x
> 0.0.0.0/0
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
>
> iptables -t nat -L -n -v
> Chain PREROUTING (policy ACCEPT 6 packets, 1831 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain INPUT (policy ACCEPT 4 packets, 1348 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 14 packets, 856 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 2 packets, 136 bytes)
> pkts bytes target prot opt in out source
> destination
>
>
> On Mon, Jan 30, 2017 at 2:05 PM, Dave Albert <dave.albert at gmail.com>
> wrote:
>
> Hi,
>
> I've been able to get tinc setup when I flush all my iptables, but after
> enabling iptables and a delay I get a "Destination Net Unknown". I have
> three host (HOME10.0.3.2, MASTER 10.0.3.1, WEB 10.0.3.3) MASTER and WEB are
> in Digital ocean in the same data centre.
>
> HOME <---> MASTER <---> WEB
>
> I've tried multiple forwarding/masquerading/etc rules and don't understand
> what I'm missing.
>
> When iptables are enabled (same rules on MASTER and WEB) I get the
> following results:
>
> HOME $ ping 10.0.3.1 ==> Success
> HOME $ ping 10.0.3.3 ==> Destination Net Unknown
>
> MASTER $ ping 10.0.3.2 ==> Success
> MASTER $ ping 10.0.3.3 ==> Destination Net Unknown
>
> WEB $ ping 10.0.3.1 ==> Destination Net Unknown
> WEB $ ping 10.0.3.2 ==> Destination Net Unknown
>
>
> It's not just ICMP though, I get the same results for "nc -vz x.x.x.x 22"
>
> I'd appreciate any help.
>
> Thanks,
> Dave
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
--
*Ing. Guillermo Bisheimer*
*B&S Sistemas de Control y Equipamientos*
Av. de los Constituyentes 1172
(E3116CIX) Crespo, Entre Ríos
Tel/Fax: (0343) 407-8990 (Nuevo número)
Cel: (0343) 154679052
WEB: www.bys-control.com.ar
e-mail: gbisheimer at bys-control.com.ar
skype: guillermo.bisheimer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170130/efe0c758/attachment-0001.html>
More information about the tinc
mailing list