Cannot access other computers on LAN
Julien dupont
marcelvierzon at gmail.com
Tue Jan 15 16:33:26 CET 2019
ip_forward was not enabled, now it is. Still same result:
On VPN_office I use 'tcpdump -npi any icmp and host 192.168.1.1' and ping
192.168.1.1 from the client:
5:28:42.646203 IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id 1584, seq
1, length 64
15:28:43.663014 IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id 1584,
seq 2, length 64
15:28:44.688133 IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id 1584,
seq 3, length 64
15:28:45.714886 IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id 1584,
seq 4, length 64
15:28:46.738332 IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id 1584,
seq 5, length 64
15:28:47.756378 IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id 1584,
seq 6, length 64
'iptables -L -vn' yields:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
799 156K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
22 1592 INPUT_direct all -- * * 0.0.0.0/0
0.0.0.0/0
22 1592 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0
0.0.0.0/0
22 1592 INPUT_ZONES all -- * * 0.0.0.0/0
0.0.0.0/0
2 224 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
17 1140 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT all -- VPN_Main * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 896 packets, 195K bytes)
pkts bytes target prot opt in out source
destination
898 195K OUTPUT_direct all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source
destination
0 0 FWDI_public all -- p8p1 * 0.0.0.0/0
0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0
0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source
destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source
destination
0 0 FWDO_public all -- * p8p1 0.0.0.0/0
0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0
0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source
destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source
destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source
destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source
destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source
destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source
destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source
destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source
destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source
destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source
destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source
destination
17 1140 IN_public all -- p8p1 * 0.0.0.0/0
0.0.0.0/0 [goto]
5 452 IN_public all -- + * 0.0.0.0/0
0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source
destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source
destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source
destination
22 1592 IN_public_log all -- * * 0.0.0.0/0
0.0.0.0/0
22 1592 IN_public_deny all -- * * 0.0.0.0/0
0.0.0.0/0
22 1592 IN_public_allow all -- * * 0.0.0.0/0
0.0.0.0/0
2 168 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source
destination
1 60 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source
destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source
destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source
destination
Le mar. 15 janv. 2019 à 13:49, Lars Kruse <lists at sumpfralle.de> a écrit :
> Hello Julien,
>
>
> Am Tue, 15 Jan 2019 09:30:23 +0100
> schrieb Julien dupont <marcelvierzon at gmail.com>:
>
> > In that case I see:
> > IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id2135, seq1, length 64
> > IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id2135, seq2, length 64
> > IP 172.16.0.3 > 192.168.1.1: ICMP echo request, id2135, seq3, length 64
> >
> > Packet goes through but no PONG back if I understand correctly. That's
> > probably where it goes wrong.
>
> Yes, the final response is missing.
> But the above output also lacks the forwarded packets (into your
> 192.168.1.0/24 subnet).
> Thus I could imagine, that at least one of the following items is true:
> * "ip_forward" (/proc/sys/net/ipv4/ip_forward) is not enabled on
> 192.168.1.3
> * firewall rules do not allow such packets to be forwarded (see the output
> of
> "iptables -L -vn") on 192.168.1.3
>
>
> > On VPN_office 'tcdump -npi any icmp', on 192.168.1.100 'ping 172.16.0.3':
> > 192.168.1.100 > 172.16.0.3: ICMP echo request, id 11452, seq1, length 64
> > 192.168.1.100 > 172.16.0.3: ICMP echo request, id 11452, seq2, length 64
> > 192.168.1.100 > 172.16.0.3: ICMP echo request, id 11452, seq3, length 64
> > ...
>
> This indicates, that your packets are leaving the host.
> The next steps would be to check at which point they (or their response)
> get
> lost.
>
>
> Cheers,
> Lars
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190115/1bc07d1d/attachment-0001.html>
More information about the tinc
mailing list