Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

iptables issues - Not getting to the POSTROUTING table
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
msalerno
Veteran
Veteran


Joined: 17 Dec 2002
Posts: 1338
Location: Sweating in South Florida
PostPosted: Mon Aug 17, 2015 1:21 pm    Post subject: iptables issues - Not getting to the POSTROUTING table Reply with quote
I just got an account with a VPN provider and I'm trying to get things working. On my server (192.168.10.2) the VPN is connecting and working as expected. The next step is to set it up so that other systems on my LAN can use it for specific routes. I've read just about every tutorial on setting up your system as a VPN gateway but for some reason nothing is working.

LAN: 192.168.10.0/24
Internet Router (wifi & switch): 192.168.10.1
Server with VPN Client: 192.168.10.2
- Static VPN interface: tun2 (i'm going to add a bunch more once I get this working)

Current Routing table with VPN connected:
Code:
0.0.0.0/1 via 10.9.0.9 dev tun2
default via 192.168.10.1 dev eth0  proto static
10.9.0.1 via 10.9.0.9 dev tun2
10.9.0.9 dev tun2  proto kernel  scope link  src 10.9.0.10
80.84.53.114 via 192.168.10.1 dev eth0
128.0.0.0/1 via 10.9.0.9 dev tun2
192.168.10.0/24 dev eth0  proto kernel  scope link  src 192.168.10.2


On the server running the VPN client:
Quote:
net.ipv4.ip_forward = 1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE


Ultimately I want to setup selective routing but first I need to make sure it's working. On my laptop (192.168.10.248) I change the default gateway from 192.168.10.1 to 192.168.10.2. With the updated default gateway on my laptop (192.168.10.248) I cannot ping, traceroute or connect to http. All of them just time out. I'm not even seeing the hop to 192.168.10.2 on the traceroute. I can still ping all the hosts on my same subnet but I can't route out. I have tried many variations of the iptables rules with no success. I'm wondering what else I am missing and hoping someone can offer some help.

Thanks

Last edited by msalerno on Thu Aug 20, 2015 6:25 pm; edited 1 time in total
Back to top
View user's profile Send private message
MrUlterior
Guru
Guru


Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
PostPosted: Wed Aug 19, 2015 2:52 pm    Post subject: Reply with quote
What's the output of ping/tracepath to 10.9.0.1 and 10.9.0.9 respectively from the laptop?
Also DNS servers is it pointed at? I had a similar problem to yours because I had to make an exception for my laptop's DNS queries.
_________________

Misanthropy 2.0 - enough hate to go around
Back to top
View user's profile Send private message
msalerno
Veteran
Veteran


Joined: 17 Dec 2002
Posts: 1338
Location: Sweating in South Florida
PostPosted: Thu Aug 20, 2015 5:22 pm    Post subject: Reply with quote
I'll add as much detail as possible. From what I see, it looks like the inbound requests never hit the POSTROUTING table. I'm not sure if it's due to my logging or something else.

Test case:

From laptop (192.168.10.248):
Code:
telnet 173.194.219.102 80


Laptop Route:
Code:
default via 192.168.10.2 dev wls1
192.168.10.0/24 dev wls1  proto kernel  scope link  src 192.168.10.248  metric 303


Server with VPN client (192.168.10.2):
Interfaces:
Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether b8:27:eb:6f:d9:0f brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.2/24 brd 192.168.10.255 scope global eth0
       valid_lft forever preferred_lft forever
4: tun2@NONE: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.9.0.42 peer 10.9.0.41/32 scope global tun2
       valid_lft forever preferred_lft forever


Route:
Code:
0.0.0.0/1 via 10.9.0.41 dev tun2
default via 192.168.10.1 dev eth0  proto static
10.9.0.1 via 10.9.0.41 dev tun2
10.9.0.41 dev tun2  proto kernel  scope link  src 10.9.0.42
109.73.77.138 via 192.168.10.1 dev eth0
128.0.0.0/1 via 10.9.0.41 dev tun2
192.168.10.0/24 dev eth0  proto kernel  scope link  src 192.168.10.2


iptables rules
- I'm positive I have too many log entries, but I didn't think they could hurt.
Code:
*mangle
:PREROUTING ACCEPT [647:54629]
:INPUT ACCEPT [642:54329]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [590:94392]
:POSTROUTING ACCEPT [590:94392]
COMMIT
# Completed on Thu Aug 20 12:21:59 2015
# Generated by iptables-save v1.4.21 on Thu Aug 20 12:21:59 2015
*nat
:PREROUTING ACCEPT [8:1239]
:INPUT ACCEPT [3:939]
:OUTPUT ACCEPT [2:152]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -j LOG --log-prefix "IPTables-PREROUTING: " --log-level 7
-A PREROUTING -j LOG --log-prefix "IPTables-PREROUTING: " --log-level 7
-A OUTPUT -j LOG --log-prefix "IPTables-OUTPUT: " --log-level 7
-A OUTPUT -j LOG --log-prefix "IPTables-OUTPUT: " --log-level 7
-A POSTROUTING -j LOG --log-prefix "IPTables-POSTROUTING: " --log-level 7
-A POSTROUTING -j LOG --log-prefix "IPTables-POSTROUTING: " --log-level 7
-A POSTROUTING -o tun2 -j MASQUERADE
COMMIT
# Completed on Thu Aug 20 12:21:59 2015
# Generated by iptables-save v1.4.21 on Thu Aug 20 12:21:59 2015
*filter
:INPUT ACCEPT [489:44681]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [354:52630]
-A INPUT -j LOG --log-prefix "IPTables-INPUT: " --log-level 7
-A INPUT -j LOG --log-prefix "IPTables-INPUT: " --log-level 7
-A FORWARD -j LOG --log-prefix "IPTables-FORWARD: " --log-level 7
-A FORWARD -j LOG --log-prefix "IPTables-FORWARD: " --log-level 7
-A FORWARD -i eth0 -o tun2 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOG --log-prefix "IPTables-OUTPUT: " --log-level 7
-A OUTPUT -j LOG --log-prefix "IPTables-OUTPUT: " --log-level 7
COMMIT


Kernel log results of executing the telnet command from my laptop:
Code:

Aug 20 12:12:13 MyVPN kernel: IPTables-OUTPUT: IN= OUT=eth0 SRC=192.168.10.2 DST=109.73.77.138 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=30454 DF PROTO=UDP SPT=59751 DPT=443 LEN=61
Aug 20 12:12:13 MyVPN kernel: IPTables-OUTPUT: IN= OUT=eth0 SRC=192.168.10.2 DST=109.73.77.138 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=30454 DF PROTO=UDP SPT=59751 DPT=443 LEN=61
Aug 20 12:12:14 MyVPN kernel: IPTables-INPUT: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:08:60:6e:20:e2:40:08:00:45:20:00:51:00:00:40:00:34:11:c0:fe SRC=109.73.77.138 DST=192.168.10.2 LEN=81 TOS=0x00 PREC=0x20 TTL=52 ID=0 DF PROTO=UDP SPT=443 DPT=59751 LEN=61
Aug 20 12:12:14 MyVPN kernel: IPTables-INPUT: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:08:60:6e:20:e2:40:08:00:45:20:00:51:00:00:40:00:34:11:c0:fe SRC=109.73.77.138 DST=192.168.10.2 LEN=81 TOS=0x00 PREC=0x20 TTL=52 ID=0 DF PROTO=UDP SPT=443 DPT=59751 LEN=61
Aug 20 12:12:15 MyVPN kernel: IPTables-PREROUTING: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:00:24:2b:a3:6c:2a:08:00:45:00:00:3c:d5:1e:40:00:40:06:10:d4 SRC=192.168.10.248 DST=173.194.219.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54558 DF PROTO=TCP SPT=43268 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 20 12:12:15 MyVPN kernel: IPTables-PREROUTING: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:00:24:2b:a3:6c:2a:08:00:45:00:00:3c:d5:1e:40:00:40:06:10:d4 SRC=192.168.10.248 DST=173.194.219.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54558 DF PROTO=TCP SPT=43268 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 20 12:12:16 MyVPN kernel: IPTables-PREROUTING: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:00:24:2b:a3:6c:2a:08:00:45:00:00:3c:d5:1f:40:00:40:06:10:d3 SRC=192.168.10.248 DST=173.194.219.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54559 DF PROTO=TCP SPT=43268 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 20 12:12:16 MyVPN kernel: IPTables-PREROUTING: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:00:24:2b:a3:6c:2a:08:00:45:00:00:3c:d5:1f:40:00:40:06:10:d3 SRC=192.168.10.248 DST=173.194.219.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54559 DF PROTO=TCP SPT=43268 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 20 12:12:18 MyVPN kernel: IPTables-PREROUTING: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:00:24:2b:a3:6c:2a:08:00:45:00:00:3c:d5:20:40:00:40:06:10:d2 SRC=192.168.10.248 DST=173.194.219.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54560 DF PROTO=TCP SPT=43268 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 20 12:12:18 MyVPN kernel: IPTables-PREROUTING: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:00:24:2b:a3:6c:2a:08:00:45:00:00:3c:d5:20:40:00:40:06:10:d2 SRC=192.168.10.248 DST=173.194.219.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54560 DF PROTO=TCP SPT=43268 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 20 12:12:18 MyVPN kernel: IPTables-OUTPUT: IN= OUT=eth0 SRC=192.168.10.2 DST=109.73.77.138 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=31015 DF PROTO=UDP SPT=59751 DPT=443 LEN=61
Aug 20 12:12:18 MyVPN kernel: IPTables-OUTPUT: IN= OUT=eth0 SRC=192.168.10.2 DST=109.73.77.138 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=31015 DF PROTO=UDP SPT=59751 DPT=443 LEN=61
Aug 20 12:12:20 MyVPN kernel: IPTables-INPUT: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:08:60:6e:20:e2:40:08:00:45:20:00:51:00:00:40:00:34:11:c0:fe SRC=109.73.77.138 DST=192.168.10.2 LEN=81 TOS=0x00 PREC=0x20 TTL=52 ID=0 DF PROTO=UDP SPT=443 DPT=59751 LEN=61
Aug 20 12:12:20 MyVPN kernel: IPTables-INPUT: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:08:60:6e:20:e2:40:08:00:45:20:00:51:00:00:40:00:34:11:c0:fe SRC=109.73.77.138 DST=192.168.10.2 LEN=81 TOS=0x00 PREC=0x20 TTL=52 ID=0 DF PROTO=UDP SPT=443 DPT=59751 LEN=61
Aug 20 12:12:22 MyVPN kernel: IPTables-PREROUTING: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:00:24:2b:a3:6c:2a:08:00:45:00:00:3c:d5:21:40:00:40:06:10:d1 SRC=192.168.10.248 DST=173.194.219.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54561 DF PROTO=TCP SPT=43268 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 20 12:12:22 MyVPN kernel: IPTables-PREROUTING: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:00:24:2b:a3:6c:2a:08:00:45:00:00:3c:d5:21:40:00:40:06:10:d1 SRC=192.168.10.248 DST=173.194.219.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54561 DF PROTO=TCP SPT=43268 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 20 12:12:23 MyVPN kernel: IPTables-OUTPUT: IN= OUT=eth0 SRC=192.168.10.2 DST=109.73.77.138 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=31114 DF PROTO=UDP SPT=59751 DPT=443 LEN=61
Aug 20 12:12:23 MyVPN kernel: IPTables-OUTPUT: IN= OUT=eth0 SRC=192.168.10.2 DST=109.73.77.138 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=31114 DF PROTO=UDP SPT=59751 DPT=443 LEN=61
Aug 20 12:12:26 MyVPN kernel: IPTables-INPUT: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:08:60:6e:20:e2:40:08:00:45:20:00:51:00:00:40:00:34:11:c0:fe SRC=109.73.77.138 DST=192.168.10.2 LEN=81 TOS=0x00 PREC=0x20 TTL=52 ID=0 DF PROTO=UDP SPT=443 DPT=59751 LEN=61
Aug 20 12:12:26 MyVPN kernel: IPTables-INPUT: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:08:60:6e:20:e2:40:08:00:45:20:00:51:00:00:40:00:34:11:c0:fe SRC=109.73.77.138 DST=192.168.10.2 LEN=81 TOS=0x00 PREC=0x20 TTL=52 ID=0 DF PROTO=UDP SPT=443 DPT=59751 LEN=61
Aug 20 12:12:29 MyVPN kernel: IPTables-OUTPUT: IN= OUT=eth0 SRC=192.168.10.2 DST=109.73.77.138 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=31532 DF PROTO=UDP SPT=59751 DPT=443 LEN=61
Aug 20 12:12:29 MyVPN kernel: IPTables-OUTPUT: IN= OUT=eth0 SRC=192.168.10.2 DST=109.73.77.138 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=31532 DF PROTO=UDP SPT=59751 DPT=443 LEN=61
Aug 20 12:12:30 MyVPN kernel: IPTables-PREROUTING: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:00:24:2b:a3:6c:2a:08:00:45:00:00:3c:d5:22:40:00:40:06:10:d0 SRC=192.168.10.248 DST=173.194.219.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54562 DF PROTO=TCP SPT=43268 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 20 12:12:30 MyVPN kernel: IPTables-PREROUTING: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:00:24:2b:a3:6c:2a:08:00:45:00:00:3c:d5:22:40:00:40:06:10:d0 SRC=192.168.10.248 DST=173.194.219.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54562 DF PROTO=TCP SPT=43268 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 20 12:12:32 MyVPN kernel: IPTables-INPUT: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:08:60:6e:20:e2:40:08:00:45:20:00:51:00:00:40:00:34:11:c0:fe SRC=109.73.77.138 DST=192.168.10.2 LEN=81 TOS=0x00 PREC=0x20 TTL=52 ID=0 DF PROTO=UDP SPT=443 DPT=59751 LEN=61
Aug 20 12:12:35 MyVPN kernel: IPTables-INPUT: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:08:60:6e:20:e2:40:08:00:45:20:00:51:00:00:40:00:34:11:c0:fe SRC=109.73.77.138 DST=192.168.10.2 LEN=81 TOS=0x00 PREC=0x20 TTL=52 ID=0 DF PROTO=UDP SPT=443 DPT=59751 LEN=61
Aug 20 12:12:35 MyVPN kernel: IPTables-OUTPUT: IN= OUT=eth0 SRC=192.168.10.2 DST=109.73.77.138 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=31613 DF PROTO=UDP SPT=59751 DPT=443 LEN=61
Aug 20 12:12:35 MyVPN kernel: IPTables-OUTPUT: IN= OUT=eth0 SRC=192.168.10.2 DST=109.73.77.138 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=31613 DF PROTO=UDP SPT=59751 DPT=443 LEN=61
Aug 20 12:12:37 MyVPN kernel: IPTables-INPUT: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:08:60:6e:20:e2:40:08:00:45:20:00:51:00:00:40:00:34:11:c0:fe SRC=109.73.77.138 DST=192.168.10.2 LEN=81 TOS=0x00 PREC=0x20 TTL=52 ID=0 DF PROTO=UDP SPT=443 DPT=59751 LEN=61
Aug 20 12:12:37 MyVPN kernel: IPTables-INPUT: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:08:60:6e:20:e2:40:08:00:45:20:00:51:00:00:40:00:34:11:c0:fe SRC=109.73.77.138 DST=192.168.10.2 LEN=81 TOS=0x00 PREC=0x20 TTL=52 ID=0 DF PROTO=UDP SPT=443 DPT=59751 LEN=61
Aug 20 12:12:39 MyVPN kernel: IPTables-OUTPUT: IN= OUT=eth0 SRC=192.168.10.2 DST=109.73.77.138 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=32068 DF PROTO=UDP SPT=59751 DPT=443 LEN=61
Aug 20 12:12:39 MyVPN kernel: IPTables-OUTPUT: IN= OUT=eth0 SRC=192.168.10.2 DST=109.73.77.138 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=32068 DF PROTO=UDP SPT=59751 DPT=443 LEN=61
Aug 20 12:12:42 MyVPN kernel: IPTables-INPUT: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:08:60:6e:20:e2:40:08:00:45:20:00:51:00:00:40:00:34:11:c0:fe SRC=109.73.77.138 DST=192.168.10.2 LEN=81 TOS=0x00 PREC=0x20 TTL=52 ID=0 DF PROTO=UDP SPT=443 DPT=59751 LEN=61
Aug 20 12:12:42 MyVPN kernel: IPTables-INPUT: IN=eth0 OUT= MAC=b8:27:eb:6f:d9:0f:08:60:6e:20:e2:40:08:00:45:20:00:51:00:00:40:00:34:11:c0:fe SRC=109.73.77.138 DST=192.168.10.2 LEN=81 TOS=0x00 PREC=0x20 TTL=52 ID=0 DF PROTO=UDP SPT=443 DPT=59751 LEN=61
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185
PostPosted: Fri Aug 21, 2015 7:34 am    Post subject: Reply with quote
A bit puzzled about how this construction got in your routing table
Code:
0.0.0.0/1 via 10.9.0.9 dev tun2
128.0.0.0/1 via 10.9.0.9 dev tun2

Which effectively does route everything through tun2, however you also have a default route defined through eth0. The fact that POSTROUTING is never hit in your logs indicates that the box is in fact not routing which in turn says that the default route appears to have preference. A good start would be to delete that default route and add a static route to your VPN peer instead. Then verify that your VPN is actually functional, because I don't see tun2 anywhere in your log.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy