Cannot access other computers on LAN

Julien dupont marcelvierzon at gmail.com
Tue Jan 15 16:33:26 CET 2019


ip_forward was not enabled, now it is. Still same result:
On VPN_office I use 'tcpdump -npi any icmp and host 192.168.1.1' and ping
192.168.1.1 from the client:
5:28:42.646203 IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id 1584, seq
1, length 64
15:28:43.663014 IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id 1584,
seq 2, length 64
15:28:44.688133 IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id 1584,
seq 3, length 64
15:28:45.714886 IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id 1584,
seq 4, length 64
15:28:46.738332 IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id 1584,
seq 5, length 64
15:28:47.756378 IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id 1584,
seq 6, length 64

'iptables -L -vn' yields:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
 destination
  799  156K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
   22  1592 INPUT_direct  all  --  *      *       0.0.0.0/0
0.0.0.0/0
   22  1592 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0
  0.0.0.0/0
   22  1592 INPUT_ZONES  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    2   224 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate INVALID
   17  1140 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
 destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
    0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0
      0.0.0.0/0
    0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0
        0.0.0.0/0
    0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate INVALID
    0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 ACCEPT     all  --  VPN_Main *       0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 896 packets, 195K bytes)
 pkts bytes target     prot opt in     out     source
 destination
  898  195K OUTPUT_direct  all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source
 destination
    0     0 FWDI_public  all  --  p8p1   *       0.0.0.0/0
0.0.0.0/0           [goto]
    0     0 FWDI_public  all  --  +      *       0.0.0.0/0
0.0.0.0/0           [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source
 destination

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source
 destination
    0     0 FWDO_public  all  --  *      p8p1    0.0.0.0/0
0.0.0.0/0           [goto]
    0     0 FWDO_public  all  --  *      +       0.0.0.0/0
0.0.0.0/0           [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source
 destination

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source
 destination

Chain FWDI_public (2 references)
 pkts bytes target     prot opt in     out     source
 destination
    0     0 FWDI_public_log  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 FWDI_public_deny  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 FWDI_public_allow  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source
 destination

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source
 destination

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source
 destination

Chain FWDO_public (2 references)
 pkts bytes target     prot opt in     out     source
 destination
    0     0 FWDO_public_log  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 FWDO_public_deny  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 FWDO_public_allow  all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source
 destination

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source
 destination

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source
 destination

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source
 destination
   17  1140 IN_public  all  --  p8p1   *       0.0.0.0/0
0.0.0.0/0           [goto]
    5   452 IN_public  all  --  +      *       0.0.0.0/0
0.0.0.0/0           [goto]

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source
 destination

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source
 destination

Chain IN_public (2 references)
 pkts bytes target     prot opt in     out     source
 destination
   22  1592 IN_public_log  all  --  *      *       0.0.0.0/0
0.0.0.0/0
   22  1592 IN_public_deny  all  --  *      *       0.0.0.0/0
0.0.0.0/0
   22  1592 IN_public_allow  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    2   168 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source
 destination
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source
 destination

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source
 destination

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source
 destination





Le mar. 15 janv. 2019 à 13:49, Lars Kruse <lists at sumpfralle.de> a écrit :

> Hello Julien,
>
>
> Am Tue, 15 Jan 2019 09:30:23 +0100
> schrieb Julien dupont <marcelvierzon at gmail.com>:
>
> > In that case I see:
> > IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id2135, seq1, length 64
> > IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id2135, seq2, length 64
> > IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id2135, seq3, length 64
> >
> > Packet goes through but no PONG back if I understand correctly. That's
> > probably where it goes wrong.
>
> Yes, the final response is missing.
> But the above output also lacks the forwarded packets (into your
> 192.168.1.0/24 subnet).
> Thus I could imagine, that at least one of the following items is true:
> * "ip_forward" (/proc/sys/net/ipv4/ip_forward) is not enabled on
> 192.168.1.3
> * firewall rules do not allow such packets to be forwarded (see the output
> of
>   "iptables -L -vn") on 192.168.1.3
>
>
> > On VPN_office 'tcdump -npi any icmp', on 192.168.1.100 'ping 172.16.0.3':
> > 192.168.1.100 > 172.16.0.3: ICMP echo request, id 11452, seq1, length 64
> > 192.168.1.100 > 172.16.0.3: ICMP echo request, id 11452, seq2, length 64
> > 192.168.1.100 > 172.16.0.3: ICMP echo request, id 11452, seq3, length 64
> > ...
>
> This indicates, that your packets are leaving the host.
> The next steps would be to check at which point they (or their response)
> get
> lost.
>
>
> Cheers,
> Lars
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190115/1bc07d1d/attachment-0001.html>


More information about the tinc mailing list