Help with iptables && tinc

Dave Albert dave.albert at gmail.com
Tue Jan 31 13:26:31 CET 2017 

Thanks!  Looks like my biggest problem was I had --sport for INPUT and --dport for OUTPUT but was missing the reverse.



On 30/01/2017, 16:39, "tinc on behalf of Guus Sliepen" <tinc-bounces at tinc-vpn.org on behalf of guus at tinc-vpn.org> wrote:

    On Mon, Jan 30, 2017 at 02:05:43PM +0000, Dave Albert wrote:
    
    >   I've been able to get tinc setup when I flush all my iptables, but after
    > enabling iptables and a delay I get a "Destination Net Unknown".
    
    Destination Net Unknown means that tinc does not know a Subnet that
    matches the destination IP address of VPN packets, either because there
    is no such Subnet, or because the host that has that Subnet is not
    connected. So it seems that with the iptables rules enabled, WEB and
    MASTER cannot make a TCP connection with HOME (and/or vice versa).
    
    From the firewall rules you posted:
    
    > Chain INPUT
    [...]
    > 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:655 state NEW,ESTABLISHED
    > 6  8976 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:655 state NEW,ESTABLISHED
    
    That means no TCP connection to port 655 was ever attempted. But your
    OUTPUT rules are more interesting:
    
    > Chain OUTPUT
    [...]
    > 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp spt:655 state NEW,ESTABLISHED
    > 6  8976 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp spt:655 state NEW,ESTABLISHED
    
    This only allows TCP connections from port 655 if they are NEW or
    ESTABLISHED. But tinc never makes outgoing TCP connections with source
    port 655! Outgoing TCP connections normally have a random port number.
    There is no other rule that allows outgoing TCP connections to port 655,
    except to those hosts within the IP range 10.0.3.0/24.
    
    I recommend you add a rule that ACCEPTs anything with state
    RELATED,ESTABLISHED in the OUTPUT chain. Put that rule first. Then you
    want to allow NEW outgoing connections with *destination* port 655.
    
    -- 
    Met vriendelijke groet / with kind regards,
         Guus Sliepen <guus at tinc-vpn.org>
    _______________________________________________
    tinc mailing list
    tinc at tinc-vpn.org
    https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

More information about the tinc mailing list