Help with iptables && tinc

Guillermo Bisheimer gbisheimer at bys-control.com.ar
Mon Jan 30 15:43:27 CET 2017


Can you post your Tinc configuration too?

El lun., 30 ene. 2017 a las 11:42, Dave Albert (<dave.albert at gmail.com>)
escribió:

> Here is an extract of my current iptables that are not working:
>
>     iptables -L -n -v
>
>     Chain INPUT (policy DROP 8 packets, 1120 bytes)
>      pkts bytes target     prot opt in     out     source
> destination
>         0     0 ACCEPT     tcp  --  lo     *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:3306
>         0     0 ACCEPT     udp  --  lo     *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:3306
>         0     0 NRPE       tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:5666
>         0     0 ACCEPT     icmp --  *      *       x.x.x.x       0.0.0.0/0
>            icmptype 8
>         0     0 ACCEPT     icmp --  *      *       127.0.0.1
> 0.0.0.0/0            icmptype 8
>         0     0 ACCEPT     icmp --  *      *       10.0.3.0/24
> 0.0.0.0/0            icmptype 8
>         0     0 ACCEPT     tcp  --  *      *       10.0.3.0/24
> 0.0.0.0/0
>         0     0 ACCEPT     udp  --  *      *       10.0.3.0/24
> 0.0.0.0/0
>         0     0 DROP       icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0            icmptype 8
>         0     0 ACCEPT     icmp --  *      *       x.x.x.x       0.0.0.0/0
>            icmptype 8
>         0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0            state RELATED,ESTABLISHED
>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            tcp spt:5666
>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
>       192 13741 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:2222 state NEW,ESTABLISHED
>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:80 state NEW,ESTABLISHED
>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:443 state NEW,ESTABLISHED
>         0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
> 0.0.0.0/0
>         0     0 ACCEPT     all  --  docker0 *       0.0.0.0/0
> 0.0.0.0/0
>         0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            udp spt:53
>         0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:80 limit: avg 25/min burst 100
>         0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            udp spt:123
>         0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            tcp spt:25
>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            tcp spt:22 state ESTABLISHED
>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            tcp spt:2222 state ESTABLISHED
>         0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:655 state NEW,ESTABLISHED
>         6  8976 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:655 state NEW,ESTABLISHED
>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            tcp spt:80 state ESTABLISHED
>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            tcp spt:443 state ESTABLISHED
>
>     Chain FORWARD (policy DROP 0 packets, 0 bytes)
>      pkts bytes target     prot opt in     out     source
> destination
>         0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0
> 172.17.0.0/16        ctstate RELATED,ESTABLISHED
>         0     0 ACCEPT     all  --  docker0 *       172.17.0.0/16
> 0.0.0.0/0
>         0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0
> 0.0.0.0/0
>
>     Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>      pkts bytes target     prot opt in     out     source
> destination
>         0     0 NRPE       tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            tcp spt:5666
>         0     0 ACCEPT     tcp  --  *      *       10.0.3.0/24
> 0.0.0.0/0
>         0     0 ACCEPT     udp  --  *      *       10.0.3.0/24
> 0.0.0.0/0
>         0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0            icmptype 0
>         0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0            state NEW,RELATED,ESTABLISHED
>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0            tcp dpt:5666
>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0            tcp spt:22 state ESTABLISHED
>       140 44173 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0            tcp spt:2222 state ESTABLISHED
>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0            tcp spt:80 state ESTABLISHED
>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0            tcp spt:443 state ESTABLISHED
>         0     0 ACCEPT     all  --  *      lo      0.0.0.0/0
> 0.0.0.0/0
>         0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0
> 0.0.0.0/0
>         0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0            udp dpt:53
>         0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:123
>         0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:25
>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0            tcp dpt:2222 state NEW,ESTABLISHED
>         0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            tcp spt:655 state NEW,ESTABLISHED
>         6  8976 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            udp spt:655 state NEW,ESTABLISHED
>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0            tcp dpt:80 state NEW,ESTABLISHED
>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0            tcp dpt:443 state NEW,ESTABLISHED
>
>     Chain NRPE (2 references)
>      pkts bytes target     prot opt in     out     source
> destination
>         0     0 ACCEPT     all  --  *      *       0.0.0.0/0
>  x.x.x.x
>         0     0 ACCEPT     all  --  *      *       x.x.x.x
> 0.0.0.0/0
>         0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
>
>     iptables -t nat -L -n -v
>     Chain PREROUTING (policy ACCEPT 6 packets, 1831 bytes)
>      pkts bytes target     prot opt in     out     source
> destination
>
>     Chain INPUT (policy ACCEPT 4 packets, 1348 bytes)
>      pkts bytes target     prot opt in     out     source
> destination
>
>     Chain OUTPUT (policy ACCEPT 14 packets, 856 bytes)
>      pkts bytes target     prot opt in     out     source
> destination
>
>     Chain POSTROUTING (policy ACCEPT 2 packets, 136 bytes)
>      pkts bytes target     prot opt in     out     source
> destination
>
>
> On Mon, Jan 30, 2017 at 2:05 PM, Dave Albert <dave.albert at gmail.com>
> wrote:
>
> Hi,
>
>   I've been able to get tinc setup when I flush all my iptables, but after
> enabling iptables and a delay I get a "Destination Net Unknown".   I have
> three host (HOME10.0.3.2, MASTER 10.0.3.1, WEB 10.0.3.3) MASTER and WEB are
> in Digital ocean in the same data centre.
>
> HOME <---> MASTER  <--->  WEB
>
> I've tried multiple forwarding/masquerading/etc rules and don't understand
> what I'm missing.
>
> When iptables are enabled (same rules on MASTER and WEB) I get the
> following results:
>
> HOME $ ping 10.0.3.1  ==> Success
> HOME $ ping 10.0.3.3  ==> Destination Net Unknown
>
> MASTER $ ping 10.0.3.2  ==> Success
> MASTER $ ping 10.0.3.3  ==> Destination Net Unknown
>
> WEB $ ping 10.0.3.1  ==> Destination Net Unknown
> WEB $ ping 10.0.3.2  ==> Destination Net Unknown
>
>
> It's not just ICMP though, I get the same results for "nc -vz x.x.x.x 22"
>
> I'd appreciate any help.
>
> Thanks,
>   Dave
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-- 

*Ing. Guillermo Bisheimer*

*B&S Sistemas de Control y Equipamientos*

Av. de los Constituyentes 1172

(E3116CIX) Crespo, Entre Ríos

Tel/Fax: (0343) 407-8990 (Nuevo número)

Cel: (0343) 154679052

WEB: www.bys-control.com.ar

e-mail: gbisheimer at bys-control.com.ar

skype: guillermo.bisheimer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170130/efe0c758/attachment-0001.html>


More information about the tinc mailing list