Help with iptables && tinc
Dave Albert
dave.albert at gmail.com
Mon Jan 30 15:42:22 CET 2017
Here is an extract of my current iptables that are not working:
iptables -L -n -v
Chain INPUT (policy DROP 8 packets, 1120 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- lo * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT udp -- lo * 0.0.0.0/0
0.0.0.0/0 udp dpt:3306
0 0 NRPE tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5666
0 0 ACCEPT icmp -- * * x.x.x.x 0.0.0.0/0
icmptype 8
0 0 ACCEPT icmp -- * * 127.0.0.1
0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 10.0.3.0/24
0.0.0.0/0 icmptype 8
0 0 ACCEPT tcp -- * * 10.0.3.0/24
0.0.0.0/0
0 0 ACCEPT udp -- * * 10.0.3.0/24
0.0.0.0/0
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * x.x.x.x 0.0.0.0/0
icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp spt:5666
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
192 13741 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:2222 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- docker0 * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 limit: avg 25/min burst 100
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:25
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 state ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp spt:2222 state ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:655 state NEW,ESTABLISHED
6 8976 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:655 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp spt:80 state ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp spt:443 state ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * docker0 0.0.0.0/0
172.17.0.0/16 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 * 172.17.0.0/16
0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 NRPE tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:5666
0 0 ACCEPT tcp -- * * 10.0.3.0/24
0.0.0.0/0
0 0 ACCEPT udp -- * * 10.0.3.0/24
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp dpt:5666
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:22 state ESTABLISHED
140 44173 ACCEPT tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:2222 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:80 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:443 state ESTABLISHED
0 0 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * eth0 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp dpt:2222 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:655 state NEW,ESTABLISHED
6 8976 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:655 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
Chain NRPE (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
x.x.x.x
0 0 ACCEPT all -- * * x.x.x.x
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 6 packets, 1831 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 4 packets, 1348 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 14 packets, 856 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 2 packets, 136 bytes)
pkts bytes target prot opt in out source
destination
On Mon, Jan 30, 2017 at 2:05 PM, Dave Albert <dave.albert at gmail.com> wrote:
> Hi,
>
> I've been able to get tinc setup when I flush all my iptables, but after
> enabling iptables and a delay I get a "Destination Net Unknown". I have
> three host (HOME10.0.3.2, MASTER 10.0.3.1, WEB 10.0.3.3) MASTER and WEB are
> in Digital ocean in the same data centre.
>
> HOME <---> MASTER <---> WEB
>
> I've tried multiple forwarding/masquerading/etc rules and don't understand
> what I'm missing.
>
> When iptables are enabled (same rules on MASTER and WEB) I get the
> following results:
>
> HOME $ ping 10.0.3.1 ==> Success
> HOME $ ping 10.0.3.3 ==> Destination Net Unknown
>
> MASTER $ ping 10.0.3.2 ==> Success
> MASTER $ ping 10.0.3.3 ==> Destination Net Unknown
>
> WEB $ ping 10.0.3.1 ==> Destination Net Unknown
> WEB $ ping 10.0.3.2 ==> Destination Net Unknown
>
>
> It's not just ICMP though, I get the same results for "nc -vz x.x.x.x 22"
>
> I'd appreciate any help.
>
> Thanks,
> Dave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170130/3392d9f7/attachment-0001.html>
More information about the tinc
mailing list