<div dir="ltr">Here is an extract of my<font face="monospace, monospace"> current iptables that are not working:</font><div><font face="monospace, monospace"><br></font></div><div><div><font face="monospace, monospace"> iptables -L -n -v</font></div><div><font face="monospace, monospace"> </font></div><div><font face="monospace, monospace"> Chain INPUT (policy DROP 8 packets, 1120 bytes)</font></div><div><font face="monospace, monospace"> pkts bytes target prot opt in out source destination</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- lo * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:3306</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT udp -- lo * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:3306</font></div><div><font face="monospace, monospace"> 0 0 NRPE tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:5666</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT icmp -- * * x.x.x.x <a href="http://0.0.0.0/0">0.0.0.0/0</a> icmptype 8</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT icmp -- * * 127.0.0.1 <a href="http://0.0.0.0/0">0.0.0.0/0</a> icmptype 8</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT icmp -- * * <a href="http://10.0.3.0/24">10.0.3.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> icmptype 8</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * * <a href="http://10.0.3.0/24">10.0.3.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div><font face="monospace, monospace"> 0 0 ACCEPT udp -- * * <a href="http://10.0.3.0/24">10.0.3.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div><font face="monospace, monospace"> 0 0 DROP icmp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> icmptype 8</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT icmp -- * * x.x.x.x <a href="http://0.0.0.0/0">0.0.0.0/0</a> icmptype 8</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state RELATED,ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp spt:5666</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:22 state NEW,ESTABLISHED</font></div><div><font face="monospace, monospace"> 192 13741 ACCEPT tcp -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:2222 state NEW,ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:80 state NEW,ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:443 state NEW,ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT all -- lo * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div><font face="monospace, monospace"> 0 0 ACCEPT all -- docker0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div><font face="monospace, monospace"> 0 0 ACCEPT udp -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp spt:53</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:80 limit: avg 25/min burst 100</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp spt:123</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp spt:25</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp spt:22 state ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp spt:2222 state ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:655 state NEW,ESTABLISHED</font></div><div><font face="monospace, monospace"> 6 8976 ACCEPT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:655 state NEW,ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp spt:80 state ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp spt:443 state ESTABLISHED</font></div><div><font face="monospace, monospace"> </font></div><div><font face="monospace, monospace"> Chain FORWARD (policy DROP 0 packets, 0 bytes)</font></div><div><font face="monospace, monospace"> pkts bytes target prot opt in out source destination</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT all -- * docker0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://172.17.0.0/16">172.17.0.0/16</a> ctstate RELATED,ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT all -- docker0 * <a href="http://172.17.0.0/16">172.17.0.0/16</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div><font face="monospace, monospace"> 0 0 ACCEPT all -- docker0 docker0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div><font face="monospace, monospace"> </font></div><div><font face="monospace, monospace"> Chain OUTPUT (policy DROP 0 packets, 0 bytes)</font></div><div><font face="monospace, monospace"> pkts bytes target prot opt in out source destination</font></div><div><font face="monospace, monospace"> 0 0 NRPE tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp spt:5666</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * * <a href="http://10.0.3.0/24">10.0.3.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div><font face="monospace, monospace"> 0 0 ACCEPT udp -- * * <a href="http://10.0.3.0/24">10.0.3.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div><font face="monospace, monospace"> 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> icmptype 0</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state NEW,RELATED,ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * eth0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:5666</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * eth0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp spt:22 state ESTABLISHED</font></div><div><font face="monospace, monospace"> 140 44173 ACCEPT tcp -- * eth0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp spt:2222 state ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * eth0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp spt:80 state ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * eth0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp spt:443 state ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT all -- * lo <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div><font face="monospace, monospace"> 0 0 ACCEPT all -- * docker0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div><font face="monospace, monospace"> 0 0 ACCEPT udp -- * eth0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:53</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:123</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:25</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * eth0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:22 state NEW,ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * eth0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:2222 state NEW,ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp spt:655 state NEW,ESTABLISHED</font></div><div><font face="monospace, monospace"> 6 8976 ACCEPT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp spt:655 state NEW,ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * eth0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:80 state NEW,ESTABLISHED</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT tcp -- * eth0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:443 state NEW,ESTABLISHED</font></div><div><font face="monospace, monospace"> </font></div><div><font face="monospace, monospace"> Chain NRPE (2 references)</font></div><div><font face="monospace, monospace"> pkts bytes target prot opt in out source destination</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> x.x.x.x</font></div><div><font face="monospace, monospace"> 0 0 ACCEPT all -- * * x.x.x.x <a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div><font face="monospace, monospace"> 0 0 DROP all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div><font face="monospace, monospace"> </font></div><div><font face="monospace, monospace"> </font></div><div><font face="monospace, monospace"> </font></div><div><font face="monospace, monospace"> </font></div><div><font face="monospace, monospace"> iptables -t nat -L -n -v</font></div><div><font face="monospace, monospace"> Chain PREROUTING (policy ACCEPT 6 packets, 1831 bytes)</font></div><div><font face="monospace, monospace"> pkts bytes target prot opt in out source destination</font></div><div><font face="monospace, monospace"> </font></div><div><font face="monospace, monospace"> Chain INPUT (policy ACCEPT 4 packets, 1348 bytes)</font></div><div><font face="monospace, monospace"> pkts bytes target prot opt in out source destination</font></div><div><font face="monospace, monospace"> </font></div><div><font face="monospace, monospace"> Chain OUTPUT (policy ACCEPT 14 packets, 856 bytes)</font></div><div><font face="monospace, monospace"> pkts bytes target prot opt in out source destination</font></div><div><font face="monospace, monospace"> </font></div><div><font face="monospace, monospace"> Chain POSTROUTING (policy ACCEPT 2 packets, 136 bytes)</font></div><div><font face="monospace, monospace"> pkts bytes target prot opt in out source destination</font></div></div><div><br></div><img src="http://t.sidekickopen68.com/e1t/o/5/f18dQhb0S7ks8dDMPbW2n0x6l2B9gXrN7sKj6v4Lz1jW3LyKnT5w02x6N4WrMfjd3_yKVQ5z061k1H6H0?si=6076461913210880&pi=174a282b-0da7-4bb5-c18f-57c5053883af" style="display:none!important" height="1" width="1"></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 30, 2017 at 2:05 PM, Dave Albert <span dir="ltr"><<a href="mailto:dave.albert@gmail.com" target="_blank">dave.albert@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi, <div><br></div><div> I've been able to get tinc setup when I flush all my iptables, but after enabling iptables and a delay I get a "Destination Net Unknown". I have three host (HOME10.0.3.2, MASTER 10.0.3.1, WEB 10.0.3.3) MASTER and WEB are in Digital ocean in the same data centre. </div><div><br></div><div>HOME <---> MASTER <---> WEB</div><div><br></div><div>I've tried multiple forwarding/masquerading/etc rules and don't understand what I'm missing. </div><div><br></div><div>When iptables are enabled (same rules on MASTER and WEB) I get the following results:</div><div><br></div><div><div>HOME $ ping 10.0.3.1 ==> Success</div><div>HOME $ ping 10.0.3.3 ==> Destination Net Unknown<br></div></div><div><br></div><div><div>MASTER $ ping 10.0.3.2 ==> Success</div><div>MASTER $ ping 10.0.3.3 ==> Destination Net Unknown<br></div></div><div><br></div><div><div>WEB $ ping 10.0.3.1 ==> Destination Net Unknown</div><div>WEB $ ping 10.0.3.2 ==> Destination Net Unknown<br></div></div><div><br></div><div><br></div><div>It's not just ICMP though, I get the same results for "nc -vz x.x.x.x 22"</div><div><br></div><div>I'd appreciate any help.</div><div><br></div><div>Thanks,</div><div> Dave</div><div><br></div><img src="http://t.sidekickopen68.com/e1t/o/5/f18dQhb0S7ks8dDMPbW2n0x6l2B9gXrN7sKj6v4Lz1jW3LyKnT5w02x6N4WrMfjd3_yKVQ5z061k1H6H0?si=6076461913210880&pi=53556b78-1675-4568-8876-bbba8c1b7753" style="display:none!important" height="1" width="1"></div>
</blockquote></div><br></div>