Help with iptables && tinc
Dave Albert
dave.albert at gmail.com
Mon Jan 30 17:38:51 CET 2017
Here are the config files Thanks!:
# tinc.conf on MASTER
# ------- master -------
Name = master
Device = /dev/net/tun
AddressFamily=ipv4
---------------------------------------------
cat tinc-up
# tinc-up on MASTER
ifconfig $INTERFACE 10.0.3.1 netmask 255.255.255.0
---------------------------------------------
cat tinc-up
# tinc-up on WEB
ifconfig $INTERFACE 10.0.3.3 netmask 255.255.255.0
---------------------------------------------
# tinc.conf on WEB
# ------- web -------
Name = web
Device = /dev/net/tun
AddressFamily=ipv4
ConnectTo = master
#ConnectTo = home
---------------------------------------------
cat hosts/master on BOTH
# ------- master -------
Address = 1.2.3.4 #public IP
Subnet = 10.0.3.1/32
-----BEGIN RSA PUBLIC KEY-----
My Key on MASTER
-----END RSA PUBLIC KEY-----
---------------------------------------------
cat hosts/web on BOTH
# ------- web -------
Address = 4.3.2.1 #public IP
Subnet = 10.0.3.3/32
# Public key goes below here
-----BEGIN RSA PUBLIC KEY-----
My Key on WEB
-----END RSA PUBLIC KEY-----
---------------------------------------------
On Mon, Jan 30, 2017 at 2:43 PM, Guillermo Bisheimer <
gbisheimer at bys-control.com.ar> wrote:
> Can you post your Tinc configuration too?
>
> El lun., 30 ene. 2017 a las 11:42, Dave Albert (<dave.albert at gmail.com>)
> escribió:
>
>> Here is an extract of my current iptables that are not working:
>>
>> iptables -L -n -v
>>
>> Chain INPUT (policy DROP 8 packets, 1120 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 ACCEPT tcp -- lo * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:3306
>> 0 0 ACCEPT udp -- lo * 0.0.0.0/0
>> 0.0.0.0/0 udp dpt:3306
>> 0 0 NRPE tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:5666
>> 0 0 ACCEPT icmp -- * * x.x.x.x
>> 0.0.0.0/0 icmptype 8
>> 0 0 ACCEPT icmp -- * * 127.0.0.1
>> 0.0.0.0/0 icmptype 8
>> 0 0 ACCEPT icmp -- * * 10.0.3.0/24
>> 0.0.0.0/0 icmptype 8
>> 0 0 ACCEPT tcp -- * * 10.0.3.0/24
>> 0.0.0.0/0
>> 0 0 ACCEPT udp -- * * 10.0.3.0/24
>> 0.0.0.0/0
>> 0 0 DROP icmp -- * * 0.0.0.0/0
>> 0.0.0.0/0 icmptype 8
>> 0 0 ACCEPT icmp -- * * x.x.x.x
>> 0.0.0.0/0 icmptype 8
>> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
>> 0.0.0.0/0 state RELATED,ESTABLISHED
>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 tcp spt:5666
>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
>> 192 13741 ACCEPT tcp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:2222 state NEW,ESTABLISHED
>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
>> 0 0 ACCEPT all -- lo * 0.0.0.0/0
>> 0.0.0.0/0
>> 0 0 ACCEPT all -- docker0 * 0.0.0.0/0
>> 0.0.0.0/0
>> 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 udp spt:53
>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:80 limit: avg 25/min burst 100
>> 0 0 ACCEPT udp -- * * 0.0.0.0/0
>> 0.0.0.0/0 udp spt:123
>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp spt:25
>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 tcp spt:22 state ESTABLISHED
>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 tcp spt:2222 state ESTABLISHED
>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:655 state NEW,ESTABLISHED
>> 6 8976 ACCEPT udp -- * * 0.0.0.0/0
>> 0.0.0.0/0 udp dpt:655 state NEW,ESTABLISHED
>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 tcp spt:80 state ESTABLISHED
>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 tcp spt:443 state ESTABLISHED
>>
>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 ACCEPT all -- * docker0 0.0.0.0/0
>> 172.17.0.0/16 ctstate RELATED,ESTABLISHED
>> 0 0 ACCEPT all -- docker0 * 172.17.0.0/16
>> 0.0.0.0/0
>> 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0
>> 0.0.0.0/0
>>
>> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 NRPE tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp spt:5666
>> 0 0 ACCEPT tcp -- * * 10.0.3.0/24
>> 0.0.0.0/0
>> 0 0 ACCEPT udp -- * * 10.0.3.0/24
>> 0.0.0.0/0
>> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
>> 0.0.0.0/0 icmptype 0
>> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
>> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
>> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:5666
>> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 tcp spt:22 state ESTABLISHED
>> 140 44173 ACCEPT tcp -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 tcp spt:2222 state ESTABLISHED
>> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 tcp spt:80 state ESTABLISHED
>> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 tcp spt:443 state ESTABLISHED
>> 0 0 ACCEPT all -- * lo 0.0.0.0/0
>> 0.0.0.0/0
>> 0 0 ACCEPT all -- * docker0 0.0.0.0/0
>> 0.0.0.0/0
>> 0 0 ACCEPT udp -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 udp dpt:53
>> 0 0 ACCEPT udp -- * * 0.0.0.0/0
>> 0.0.0.0/0 udp dpt:123
>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:25
>> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
>> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:2222 state NEW,ESTABLISHED
>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp spt:655 state NEW,ESTABLISHED
>> 6 8976 ACCEPT udp -- * * 0.0.0.0/0
>> 0.0.0.0/0 udp spt:655 state NEW,ESTABLISHED
>> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
>> 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
>>
>> Chain NRPE (2 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 ACCEPT all -- * * 0.0.0.0/0
>> x.x.x.x
>> 0 0 ACCEPT all -- * * x.x.x.x
>> 0.0.0.0/0
>> 0 0 DROP all -- * * 0.0.0.0/0
>> 0.0.0.0/0
>>
>>
>>
>>
>> iptables -t nat -L -n -v
>> Chain PREROUTING (policy ACCEPT 6 packets, 1831 bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain INPUT (policy ACCEPT 4 packets, 1348 bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain OUTPUT (policy ACCEPT 14 packets, 856 bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain POSTROUTING (policy ACCEPT 2 packets, 136 bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>>
>> On Mon, Jan 30, 2017 at 2:05 PM, Dave Albert <dave.albert at gmail.com>
>> wrote:
>>
>> Hi,
>>
>> I've been able to get tinc setup when I flush all my iptables, but
>> after enabling iptables and a delay I get a "Destination Net Unknown". I
>> have three host (HOME10.0.3.2, MASTER 10.0.3.1, WEB 10.0.3.3) MASTER and
>> WEB are in Digital ocean in the same data centre.
>>
>> HOME <---> MASTER <---> WEB
>>
>> I've tried multiple forwarding/masquerading/etc rules and don't
>> understand what I'm missing.
>>
>> When iptables are enabled (same rules on MASTER and WEB) I get the
>> following results:
>>
>> HOME $ ping 10.0.3.1 ==> Success
>> HOME $ ping 10.0.3.3 ==> Destination Net Unknown
>>
>> MASTER $ ping 10.0.3.2 ==> Success
>> MASTER $ ping 10.0.3.3 ==> Destination Net Unknown
>>
>> WEB $ ping 10.0.3.1 ==> Destination Net Unknown
>> WEB $ ping 10.0.3.2 ==> Destination Net Unknown
>>
>>
>> It's not just ICMP though, I get the same results for "nc -vz x.x.x.x 22"
>>
>> I'd appreciate any help.
>>
>> Thanks,
>> Dave
>>
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
> --
>
> *Ing. Guillermo Bisheimer*
>
> *B&S Sistemas de Control y Equipamientos*
>
> Av. de los Constituyentes 1172
>
> (E3116CIX) Crespo, Entre Ríos
>
> Tel/Fax: (0343) 407-8990 (Nuevo número)
>
> Cel: (0343) 154679052
>
> WEB: www.bys-control.com.ar
>
> e-mail: gbisheimer at bys-control.com.ar
>
> skype: guillermo.bisheimer
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170130/c560323a/attachment-0001.html>
More information about the tinc
mailing list