Help with iptables && tinc

Dave Albert dave.albert at gmail.com
Mon Jan 30 17:38:51 CET 2017


Here are the config files Thanks!:



# tinc.conf on MASTER
# ------- master -------
Name = master
Device = /dev/net/tun
AddressFamily=ipv4
---------------------------------------------


cat tinc-up
# tinc-up on MASTER
ifconfig $INTERFACE 10.0.3.1 netmask 255.255.255.0
---------------------------------------------


cat tinc-up
# tinc-up on WEB
ifconfig $INTERFACE 10.0.3.3 netmask 255.255.255.0
---------------------------------------------


# tinc.conf on WEB
# ------- web -------
Name = web
Device = /dev/net/tun
AddressFamily=ipv4
ConnectTo = master
#ConnectTo = home
---------------------------------------------



cat hosts/master on BOTH
# ------- master -------
Address = 1.2.3.4 #public IP
Subnet = 10.0.3.1/32

-----BEGIN RSA PUBLIC KEY-----
My Key on MASTER
-----END RSA PUBLIC KEY-----
---------------------------------------------




cat hosts/web on BOTH
# ------- web -------
Address = 4.3.2.1 #public IP
Subnet = 10.0.3.3/32
# Public key goes below here

-----BEGIN RSA PUBLIC KEY-----
My Key on WEB
-----END RSA PUBLIC KEY-----
---------------------------------------------



On Mon, Jan 30, 2017 at 2:43 PM, Guillermo Bisheimer <
gbisheimer at bys-control.com.ar> wrote:

> Can you post your Tinc configuration too?
>
> El lun., 30 ene. 2017 a las 11:42, Dave Albert (<dave.albert at gmail.com>)
> escribió:
>
>> Here is an extract of my current iptables that are not working:
>>
>>     iptables -L -n -v
>>
>>     Chain INPUT (policy DROP 8 packets, 1120 bytes)
>>      pkts bytes target     prot opt in     out     source
>> destination
>>         0     0 ACCEPT     tcp  --  lo     *       0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:3306
>>         0     0 ACCEPT     udp  --  lo     *       0.0.0.0/0
>> 0.0.0.0/0            udp dpt:3306
>>         0     0 NRPE       tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:5666
>>         0     0 ACCEPT     icmp --  *      *       x.x.x.x
>> 0.0.0.0/0            icmptype 8
>>         0     0 ACCEPT     icmp --  *      *       127.0.0.1
>> 0.0.0.0/0            icmptype 8
>>         0     0 ACCEPT     icmp --  *      *       10.0.3.0/24
>> 0.0.0.0/0            icmptype 8
>>         0     0 ACCEPT     tcp  --  *      *       10.0.3.0/24
>> 0.0.0.0/0
>>         0     0 ACCEPT     udp  --  *      *       10.0.3.0/24
>> 0.0.0.0/0
>>         0     0 DROP       icmp --  *      *       0.0.0.0/0
>> 0.0.0.0/0            icmptype 8
>>         0     0 ACCEPT     icmp --  *      *       x.x.x.x
>> 0.0.0.0/0            icmptype 8
>>         0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
>> 0.0.0.0/0            state RELATED,ESTABLISHED
>>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0            tcp spt:5666
>>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
>>       192 13741 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:2222 state NEW,ESTABLISHED
>>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:80 state NEW,ESTABLISHED
>>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:443 state NEW,ESTABLISHED
>>         0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
>> 0.0.0.0/0
>>         0     0 ACCEPT     all  --  docker0 *       0.0.0.0/0
>> 0.0.0.0/0
>>         0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0            udp spt:53
>>         0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:80 limit: avg 25/min burst 100
>>         0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            udp spt:123
>>         0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            tcp spt:25
>>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0            tcp spt:22 state ESTABLISHED
>>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0            tcp spt:2222 state ESTABLISHED
>>         0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:655 state NEW,ESTABLISHED
>>         6  8976 ACCEPT     udp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            udp dpt:655 state NEW,ESTABLISHED
>>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0            tcp spt:80 state ESTABLISHED
>>         0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0            tcp spt:443 state ESTABLISHED
>>
>>     Chain FORWARD (policy DROP 0 packets, 0 bytes)
>>      pkts bytes target     prot opt in     out     source
>> destination
>>         0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0
>> 172.17.0.0/16        ctstate RELATED,ESTABLISHED
>>         0     0 ACCEPT     all  --  docker0 *       172.17.0.0/16
>> 0.0.0.0/0
>>         0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0
>>  0.0.0.0/0
>>
>>     Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>>      pkts bytes target     prot opt in     out     source
>> destination
>>         0     0 NRPE       tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            tcp spt:5666
>>         0     0 ACCEPT     tcp  --  *      *       10.0.3.0/24
>> 0.0.0.0/0
>>         0     0 ACCEPT     udp  --  *      *       10.0.3.0/24
>> 0.0.0.0/0
>>         0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
>> 0.0.0.0/0            icmptype 0
>>         0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
>> 0.0.0.0/0            state NEW,RELATED,ESTABLISHED
>>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:5666
>>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
>> 0.0.0.0/0            tcp spt:22 state ESTABLISHED
>>       140 44173 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
>> 0.0.0.0/0            tcp spt:2222 state ESTABLISHED
>>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
>> 0.0.0.0/0            tcp spt:80 state ESTABLISHED
>>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
>> 0.0.0.0/0            tcp spt:443 state ESTABLISHED
>>         0     0 ACCEPT     all  --  *      lo      0.0.0.0/0
>> 0.0.0.0/0
>>         0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0
>> 0.0.0.0/0
>>         0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0
>> 0.0.0.0/0            udp dpt:53
>>         0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            udp dpt:123
>>         0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:25
>>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
>>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:2222 state NEW,ESTABLISHED
>>         0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            tcp spt:655 state NEW,ESTABLISHED
>>         6  8976 ACCEPT     udp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            udp spt:655 state NEW,ESTABLISHED
>>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:80 state NEW,ESTABLISHED
>>         0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0
>> 0.0.0.0/0            tcp dpt:443 state NEW,ESTABLISHED
>>
>>     Chain NRPE (2 references)
>>      pkts bytes target     prot opt in     out     source
>> destination
>>         0     0 ACCEPT     all  --  *      *       0.0.0.0/0
>>  x.x.x.x
>>         0     0 ACCEPT     all  --  *      *       x.x.x.x
>> 0.0.0.0/0
>>         0     0 DROP       all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>>
>>
>>
>>
>>     iptables -t nat -L -n -v
>>     Chain PREROUTING (policy ACCEPT 6 packets, 1831 bytes)
>>      pkts bytes target     prot opt in     out     source
>> destination
>>
>>     Chain INPUT (policy ACCEPT 4 packets, 1348 bytes)
>>      pkts bytes target     prot opt in     out     source
>> destination
>>
>>     Chain OUTPUT (policy ACCEPT 14 packets, 856 bytes)
>>      pkts bytes target     prot opt in     out     source
>> destination
>>
>>     Chain POSTROUTING (policy ACCEPT 2 packets, 136 bytes)
>>      pkts bytes target     prot opt in     out     source
>> destination
>>
>>
>> On Mon, Jan 30, 2017 at 2:05 PM, Dave Albert <dave.albert at gmail.com>
>> wrote:
>>
>> Hi,
>>
>>   I've been able to get tinc setup when I flush all my iptables, but
>> after enabling iptables and a delay I get a "Destination Net Unknown".   I
>> have three host (HOME10.0.3.2, MASTER 10.0.3.1, WEB 10.0.3.3) MASTER and
>> WEB are in Digital ocean in the same data centre.
>>
>> HOME <---> MASTER  <--->  WEB
>>
>> I've tried multiple forwarding/masquerading/etc rules and don't
>> understand what I'm missing.
>>
>> When iptables are enabled (same rules on MASTER and WEB) I get the
>> following results:
>>
>> HOME $ ping 10.0.3.1  ==> Success
>> HOME $ ping 10.0.3.3  ==> Destination Net Unknown
>>
>> MASTER $ ping 10.0.3.2  ==> Success
>> MASTER $ ping 10.0.3.3  ==> Destination Net Unknown
>>
>> WEB $ ping 10.0.3.1  ==> Destination Net Unknown
>> WEB $ ping 10.0.3.2  ==> Destination Net Unknown
>>
>>
>> It's not just ICMP though, I get the same results for "nc -vz x.x.x.x 22"
>>
>> I'd appreciate any help.
>>
>> Thanks,
>>   Dave
>>
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
> --
>
> *Ing. Guillermo Bisheimer*
>
> *B&S Sistemas de Control y Equipamientos*
>
> Av. de los Constituyentes 1172
>
> (E3116CIX) Crespo, Entre Ríos
>
> Tel/Fax: (0343) 407-8990 (Nuevo número)
>
> Cel: (0343) 154679052
>
> WEB: www.bys-control.com.ar
>
> e-mail: gbisheimer at bys-control.com.ar
>
> skype: guillermo.bisheimer
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170130/c560323a/attachment-0001.html>


More information about the tinc mailing list