View previous topic :: View next topic |
Author |
Message |
mustang01 n00b
Joined: 19 Aug 2019 Posts: 42
|
Posted: Sat Sep 14, 2019 1:27 pm Post subject: dual wan |
|
|
[Moderator note: this post, and only this post, was originally attached to the Documentation, Tips, & Tricks topic HOWTO setup dual wan, but it is a support request, not documentation or a correction to that post. -Hu]
Hello, I am trying to set up a dual wan in my network.
I have two routers on 192.168.1.1/30 and 192.168.2.1/30. My ip address is 192.168.1.2 and 192.168.2.2. The lan address is 192.168.0.1/27. When I run the firewall script I get an error.
Script:
Code: | #!/bin/bash
#tools
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
###interfaces
WAN0="enp6s0"; WAN0_IP="192.168.1.2"
WAN1="enp5s0"; WAN1_IP="192.168.2.2"
LAN="enp1s0"
###clearing iptables
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IP6TABLES -F
$IP6TABLES -t mangle -F
$IP6TABLES -X
$IP6TABLES -t mangle -X
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT ACCEPT
$IP6TABLES -P FORWARD DROP
###nat
$IPTABLES -t nat -A POSTROUTING -o $WAN0 -j SNAT --to-source $WAN0_IP
$IPTABLES -t nat -A POSTROUTING -o $WAN1 -j SNAT --to-source $WAN1_IP
###mangle (used for load balancing)
$IPTABLES -t mangle -A POSTROUTING -o $WAN0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100
$IPTABLES -t mangle -A POSTROUTING -o $WAN1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x101
$IPTABLES -t mangle -A PREROUTING -i $WAN0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $WAN1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x101
$IPTABLES -t mangle -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
$IPTABLES -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
###must have rules
$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 -j ACCEPT
$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
###internet access
$IPTABLES -A FORWARD -i $LAN -o $WAN0 ! -d 192.168.0.0/16 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -o $WAN1 ! -d 192.168.0.0/16 -j ACCEPT
###default reject
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A FORWARD -j REJECT
$IP6TABLES -A INPUT -j REJECT
$IP6TABLES -A FORWARD -j REJECT
|
Error:
Code: | iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
|
Please
help me. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21607
|
Posted: Sat Sep 14, 2019 3:54 pm Post subject: Re: dual wan |
|
|
mustang01 wrote: | When I run the firewall script I get an error. | You should not use a script to set iptables rules. You should use iptables-restore. By using a script, you allow failures to leave your firewall in an inconsistent state.Your script is missing set -e. Under the circumstances, you may want to place that after the firewall is placed in a fail-secure state. mustang01 wrote: | Code: | WAN0="enp6s0"; WAN0_IP="192.168.1.2"
WAN1="enp5s0"; WAN1_IP="192.168.2.2" |
| I hope these are placeholder addresses for the purpose of the post. Those are still private IP addresses, and are unlikely to be real WAN addresses. mustang01 wrote: | Code: | ###mangle (used for load balancing)
$IPTABLES -t mangle -A POSTROUTING -o $WAN0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100
$IPTABLES -t mangle -A POSTROUTING -o $WAN1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x101
$IPTABLES -t mangle -A PREROUTING -i $WAN0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $WAN1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x101
$IPTABLES -t mangle -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
$IPTABLES -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark |
| Where do you read these marks? I do not see any uses of -m connmark. mustang01 wrote: | Code: | ###default reject
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A FORWARD -j REJECT
$IP6TABLES -A INPUT -j REJECT
$IP6TABLES -A FORWARD -j REJECT |
| Do you really want REJECT for disallowed traffic coming in from the Internet? You originally set a policy of DROP, but this REJECT preempts that. mustang01 wrote: | Error:
Code: | iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name. | Please
help me. | Which statements fail? set -e would have stopped it on the first failure. iptables-restore would tell you which line failed. You could also use set -x to make bash print statements as it goes, so that the offending statement will be shown immediately preceding the error message. |
|
Back to top |
|
|
mustang01 n00b
Joined: 19 Aug 2019 Posts: 42
|
|
Back to top |
|
|
mustang01 n00b
Joined: 19 Aug 2019 Posts: 42
|
Posted: Sun Oct 06, 2019 2:29 pm Post subject: Access web server on VPN client through VPN server public IP |
|
|
Hello, I have a problem setting the vpn tunnel from a home gentoo router to a VPS server from archlinux. On gentoo, I have a dual wan with a vdsl (dynamic ip) connection with a modem under pppoe and an LTE router (no public ip, blocked ports). I'd like to set up an LTE connection to a VPS server on archlinux and unblock blocked ports for a gentoo webserver.
I would like to use the wireguard application because it is the fastest vpn tunnel I know. I use the Net-ISP-Balance script to set up a dualwan connection -> https://lstein.github.io/Net-ISP-Balance/.
I used the script on arch linux from https://github.com/angristan/wireguard-install to install and configure the wireguard.
I have a problem configuring the VPN connection, after establishing the connection I cannot browse www. Please help.
Gentoo configuration files(Home Router).
# cat /etc/conf.d/net
Code: | config_enp1s0="192.168.0.1/27"
config_enp5s0="192.168.2.2/24"
routes_enp5s0="default via 192.168.2.1"
dns_servers_enp5s0="185.89.185.1 89.108.195.20"
vlans_enp6s0="2"
config_enp6s0="null"
config_enp6s0_2="192.168.1.2/30"
config_ppp0="ppp"
link_ppp0="enp6s0"
plugins_ppp0="pppoe"
username_ppp0='*******@neostrada.pl'
password_ppp0='*******'
pppd_ppp0="
noauth
defaultroute
usepeerdns
mtu 1492
holdoff 3
child-timeout 60
lcp-echo-interval 15
lcp-echo-failure 3
noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp"
rc_net_ppp0_need="net.enp6s0" |
#cat /etc/balance.conf
Code: | ## Net::ISP::Balance configuration file
## edit it as needed to describe your router setup
## This table defines the LAN and IP services.
## Uncomment by removing hash symbols (#) and then edit as needed
## service device role ping-ip weight gateway
CABLE enp5s0 isp 172.217.20.163 1 default
DSL ppp0 isp 172.217.20.163 1 default
LAN1 enp1s0 lan
LAN2 enp6s0.2 lan
# The mode controls whether to operate in "balanced" mode in which traffic
# is distributed among the isp services proportional to the weights, or "failover"
# mode in which all traffic is routed through the highest weighted service and
# switches to lower-weighted services only when the higher one(s) are unavailable.
mode=balanced
#mode=failover
## The "forwarding_group" option gives you fine control over how
## packets are forwarded. See the online docs for details. :lan
## means all interfaces marked as "lan" :isp means all interfaces
## marked as "isp" the default (shown below) allows forwarding among
## all lan and isp interfaces
forwarding_group=:lan :isp
## The "mode" option, if present, selects which mode Net-ISP-Balance runs
## in. The choices are "balanced" and "failover".
##
## In "balanced" mode (the default) each interface marked as an ISP
## will be used to balance outgoing and incoming packets. If one goes
## down, the other(s) will be used as failover services. The "weight"
## column in the table above is used to prioritize how packets are
## balanced across the (running) interfaces.
##
## In "failover" mode, only one ISP will be used at a time. The others
## will be used as backups if the primary interface fails. In this case
## the weight is used to select which interface is currently active, with
## the currently running interface with the highest weight being selected.
## These options are passed to lsm, among others.
## the defaults are shown. To change them, uncomment
## and edit.
warn_email=lukasz.mustang@gmail.com
interval_ms=1000
max_packet_loss=15
max_successive_pkts_lost=7
min_packet_loss=5
min_successive_pkts_rcvd=10
#long_down_time=120 |
#sudo load_balance.pl -d
Code: | echo 0 > /proc/sys/net/ipv4/ip_forward
## Including rules from /etc/balance/pre-run/pre-run-script.pl ##
## Finished /etc/balance/pre-run/pre-run-script.pl ##
ip route flush all
ip rule flush
ip rule add from all lookup main pref 32766
ip rule add from all lookup default pref 32767
ip route flush table 1
ip route flush table 2
ip route add 192.168.2.0/24 dev enp5s0 src 192.168.2.2
ip route add 83.1.4.248/32 dev ppp0 src 83.21.137.153
ip route add 192.168.0.0/27 dev enp1s0 src 192.168.0.1
ip route add 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2
ip route add default scope global nexthop via 192.168.2.1 dev enp5s0 weight 1 nexthop via 83.1.4.248 dev ppp0 weight 1
ip route add table 1 default dev enp5s0 via 192.168.2.1
ip route add table 1 192.168.2.0/24 dev enp5s0 src 192.168.2.2
ip route add table 1 83.1.4.248/32 dev ppp0 src 83.21.137.153
ip route add table 1 192.168.0.0/27 dev enp1s0 src 192.168.0.1
ip route add table 1 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2
ip rule add from 192.168.2.2 table 1
ip rule add fwmark 1 table 1
ip route add table 2 default dev ppp0 via 83.1.4.248
ip route add table 2 192.168.2.0/24 dev enp5s0 src 192.168.2.2
ip route add table 2 83.1.4.248/32 dev ppp0 src 83.21.137.153
ip route add table 2 192.168.0.0/27 dev enp1s0 src 192.168.0.1
ip route add table 2 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2
ip rule add from 83.21.137.153 table 2
ip rule add fwmark 2 table 2
## Including rules from /etc/balance/routes/01.local_routes ##
# enter any routing commands you might want to go in
# for example:
# ip route add 192.168.100.1 dev eth0 src 198.162.1.14
## Finished /etc/balance/routes/01.local_routes ##
## Including rules from /etc/balance/routes/02.local_routes.pl ##
## Finished /etc/balance/routes/02.local_routes.pl ##
## Including rules from /etc/balance/routes/03.noip.conf ##
ip rule add ipproto UDP dport 7777 table 2
ip rule add to 176.9.5.77 table 2
## Finished /etc/balance/routes/03.noip.conf ##
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -N REJECTPERM
iptables -A REJECTPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "REJECTED: "
iptables -A REJECTPERM -j REJECT --reject-with icmp-net-unreachable
iptables -N DROPGEN
iptables -A DROPGEN -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "GENERAL: "
iptables -A DROPGEN -j DROP
iptables -N DROPINVAL
iptables -A DROPINVAL -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "INVALID: "
iptables -A DROPINVAL -j DROP
iptables -N DROPPERM
iptables -A DROPPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "ACCESS-DENIED: "
iptables -A DROPPERM -j DROP
iptables -N DROPSPOOF
iptables -A DROPSPOOF -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "DROP-SPOOF: "
iptables -A DROPSPOOF -j DROP
iptables -N DROPFLOOD
iptables -A DROPFLOOD -m limit --limit 1/minute -j LOG --log-level 4 --log-prefix "DROP-FLOOD: "
iptables -A DROPFLOOD -j DROP
iptables -N DEBUG
iptables -A DEBUG -j LOG --log-level 3 --log-prefix "DEBUG: "
iptables -t mangle -N MARK-CABLE
iptables -t mangle -A MARK-CABLE -j MARK --set-mark 1
iptables -t mangle -A MARK-CABLE -j CONNMARK --save-mark
iptables -t mangle -N MARK-DSL
iptables -t mangle -A MARK-DSL -j MARK --set-mark 2
iptables -t mangle -A MARK-DSL -j CONNMARK --save-mark
iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate NEW -m statistic --mode random --probability 1 -j MARK-DSL
iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate NEW -m statistic --mode random --probability 0.5 -j MARK-CABLE
iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate NEW -m statistic --mode random --probability 1 -j MARK-DSL
iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate NEW -m statistic --mode random --probability 0.5 -j MARK-CABLE
iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i enp5s0 -m conntrack --ctstate NEW -j MARK-CABLE
iptables -t mangle -A PREROUTING -i enp5s0 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i ppp0 -m conntrack --ctstate NEW -j MARK-DSL
iptables -t mangle -A PREROUTING -i ppp0 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j DROPPERM
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROPFLOOD
iptables -A INPUT -i enp1s0 -s 192.168.0.0/27 -j ACCEPT
iptables -A OUTPUT -o enp1s0 -d 192.168.0.0/27 -j ACCEPT
iptables -A OUTPUT -o enp1s0 -d 255.255.255.255/32 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.0/27 -j ACCEPT
iptables -A INPUT -i enp6s0.2 -s 192.168.1.0/30 -j ACCEPT
iptables -A OUTPUT -o enp6s0.2 -d 192.168.1.0/30 -j ACCEPT
iptables -A OUTPUT -o enp6s0.2 -d 255.255.255.255/32 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.1.0/30 -j ACCEPT
iptables -A OUTPUT -o enp5s0 -j ACCEPT
iptables -A OUTPUT -o ppp0 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o enp5s0 -s 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o ppp0 -s 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -i enp6s0.2 -o enp5s0 -s 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -i enp6s0.2 -o ppp0 -s 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o enp6s0.2 -s 192.168.0.0/27 -d 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -i enp6s0.2 -o enp1s0 -s 192.168.1.0/30 -d 192.168.0.0/27 -j ACCEPT
iptables -A OUTPUT -j DROPSPOOF
iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
## Including rules from /etc/balance/firewall/01.accept ##
## This file contains iptables statements that add additional firewall rules
# allow incoming domain packets -- needed for DNS resolution
iptables -A INPUT -p udp --source-port domain -j ACCEPT
# allow incoming NTP packets -- needed for net time protocol
iptables -A INPUT -p udp --source-port ntp -j ACCEPT
## Finished /etc/balance/firewall/01.accept ##
## Including rules from /etc/balance/firewall/01.accept.pl ##
iptables -A INPUT -p tcp -s 192.168.0.0/27 --syn --dport ssh -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.0/30 --syn --dport ssh -j ACCEPT
## Finished /etc/balance/firewall/01.accept.pl ##
## Including rules from /etc/balance/firewall/02.forward.pl ##
iptables -A FORWARD -p udp --source-port domain -d 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -p udp --source-port ntp -d 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -p udp --source-port domain -d 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -p udp --source-port ntp -d 192.168.1.0/30 -j ACCEPT
## Finished /etc/balance/firewall/02.forward.pl ##
## Including rules from /etc/balance/firewall/04.webserver.conf ##
iptables -A INPUT -p tcp --syn --dport 8885 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 18081 -j ACCEPT
## Finished /etc/balance/firewall/04.webserver.conf ##
echo 1 > /proc/sys/net/ipv4/ip_forward
## Including rules from /etc/balance/post-run/post-run-script.pl ##
## Finished /etc/balance/post-run/post-run-script.pl ##
lsm process killed
Starting lsm link status monitoring daemon
|
#ifconfig
Code: | enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 255.255.255.224 broadcast 192.168.0.31
inet6 fe80::523e:aaff:fe02:d989 prefixlen 64 scopeid 0x20<link>
ether 50:3e:aa:02:d9:89 txqueuelen 1000 (Ethernet)
RX packets 876523 bytes 110763076 (105.6 MiB)
RX errors 0 dropped 56347 overruns 0 frame 0
TX packets 1475342 bytes 1856439602 (1.7 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.2 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::12bf:48ff:fe4d:2685 prefixlen 64 scopeid 0x20<link>
ether 10:bf:48:4d:26:85 txqueuelen 1000 (Ethernet)
RX packets 677118 bytes 793192929 (756.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 330002 bytes 36277871 (34.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17 memory 0xf7a00000-f7a20000
enp6s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::12bf:48ff:fe4d:243d prefixlen 64 scopeid 0x20<link>
ether 10:bf:48:4d:24:3d txqueuelen 1000 (Ethernet)
RX packets 870456 bytes 1114483756 (1.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 527544 bytes 64500032 (61.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 18 memory 0xf7900000-f7920000
enp6s0.2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.2 netmask 255.255.255.252 broadcast 192.168.1.3
inet6 fe80::12bf:48ff:fe4d:243d prefixlen 64 scopeid 0x20<link>
ether 10:bf:48:4d:24:3d txqueuelen 1000 (Ethernet)
RX packets 1 bytes 42 (42.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1830 bytes 374900 (366.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 118283 bytes 32662516 (31.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 118283 bytes 32662516 (31.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1492
inet 83.21.137.153 netmask 255.255.255.255 destination 83.1.4.248
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 864803 bytes 1091641285 (1.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 520044 bytes 50226273 (47.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
# cat /etc/wireguard/wg0-client.conf
Code: | [Interface]
PrivateKey = +BQDgkcjvjic3XYHeiDxthuwyep+UA7arnByYpbvxV0=
Address = 10.66.66.2/24,fd42:42:42::2/64
DNS = 176.103.130.130,176.103.130.131
[Peer]
PublicKey = 9WebKmUim9bgZCoMCqGeKpEU+0l1yehGuWsYqUyp+Hk=
Endpoint = 51.38.131.234:1194
AllowedIPs = 0.0.0.0/0
PresharedKey = /J1j0uj8ka/Wen/qgFhBP4ii13PpWglsY5TFBfZrZ4c= |
Archlinux configuration files (VPS server).
# ifconfig
Code: | eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 51.38.131.234 netmask 255.255.255.255 broadcast 0.0.0.0
inet6 fe80::f816:3eff:fe26:17c2 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:26:17:c2 txqueuelen 1000 (Ethernet)
RX packets 123692 bytes 13733337 (13.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 131469 bytes 20185711 (19.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 15 bytes 1456 (1.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15 bytes 1456 (1.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.66.66.1 netmask 255.255.255.0 destination 10.66.66.1
inet6 fd42:42:42::1 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 357 bytes 17804 (17.3 KiB)
RX errors 233 dropped 0 overruns 0 frame 233
TX packets 86 bytes 6244 (6.0 KiB)
TX errors 7 dropped 0 overruns 0 carrier 0 collisions 0 |
# cat /etc/wireguard/wg0.conf
Code: | [Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 1194
PrivateKey = IJTTRAA7yHuiT4dCco7LgVCMpxplM43fgBa/LwPjQXg=
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = eq6igMfkwk8oKdpqsQSbGlaOIWIXyqYLi2Q60FK0E00=
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
PresharedKey = 8qYmRTAo+wVKhIzYYyvA+AFqD7oAveGs5LSa8UVA694= |
|
|
Back to top |
|
|
mustang01 n00b
Joined: 19 Aug 2019 Posts: 42
|
Posted: Mon Oct 07, 2019 3:45 pm Post subject: |
|
|
how to unlock ping from wan port?
#sudo iptables -L
Code: | Hasło:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROPPERM all -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,ACK/ACK
DROPFLOOD icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- 192.168.0.0/27 anywhere
ACCEPT all -- 192.168.1.0/30 anywhere
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- 192.168.0.0/27 anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- 192.168.1.0/30 anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:8885 flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:18081 flags:FIN,SYN,RST,ACK/SYN
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,ACK/ACK
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
ACCEPT all -- 192.168.0.0/27 anywhere
ACCEPT all -- 192.168.0.0/27 anywhere
ACCEPT all -- 192.168.1.0/30 anywhere
ACCEPT all -- 192.168.1.0/30 anywhere
ACCEPT all -- 192.168.0.0/27 192.168.1.0/30
ACCEPT all -- 192.168.1.0/30 192.168.0.0/27
ACCEPT udp -- anywhere 192.168.0.0/27 udp spt:domain
ACCEPT udp -- anywhere 192.168.0.0/27 udp spt:ntp
ACCEPT udp -- anywhere 192.168.1.0/30 udp spt:domain
ACCEPT udp -- anywhere 192.168.1.0/30 udp spt:ntp
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.0.0/27
ACCEPT all -- anywhere 255.255.255.255
ACCEPT udp -- 192.168.0.0/27 anywhere
ACCEPT all -- anywhere 192.168.1.0/30
ACCEPT all -- anywhere 255.255.255.255
ACCEPT udp -- 192.168.1.0/30 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROPSPOOF all -- anywhere anywhere
Chain DEBUG (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level error prefix "DEBUG: "
Chain DROPFLOOD (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain DROPGEN (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain DROPINVAL (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain DROPPERM (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain DROPSPOOF (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain REJECTPERM (0 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-net-unreachable |
|
|
Back to top |
|
|
mustang01 n00b
Joined: 19 Aug 2019 Posts: 42
|
Posted: Wed Oct 09, 2019 9:46 am Post subject: |
|
|
My current configuration. I unblocked 1194 ports for the VPN tunnel. Connection to the Wireguard server is working.
Code: | sudo load_balance.pl -d
echo 0 > /proc/sys/net/ipv4/ip_forward
## Including rules from /etc/balance/pre-run/pre-run-script.pl ##
## Finished /etc/balance/pre-run/pre-run-script.pl ##
ip route flush all
ip rule flush
ip rule add from all lookup main pref 32766
ip rule add from all lookup default pref 32767
ip route flush table 1
ip route flush table 2
ip route add 192.168.2.0/24 dev enp5s0 src 192.168.2.2
ip route add 83.1.4.248/32 dev ppp0 src 83.23.86.188
ip route add 192.168.0.0/27 dev enp1s0 src 192.168.0.1
ip route add 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2
ip route add default scope global nexthop via 83.1.4.248 dev ppp0 weight 1 nexthop via 192.168.2.1 dev enp5s0 weight 1
ip route add table 1 default dev enp5s0 via 192.168.2.1
ip route add table 1 192.168.2.0/24 dev enp5s0 src 192.168.2.2
ip route add table 1 83.1.4.248/32 dev ppp0 src 83.23.86.188
ip route add table 1 192.168.0.0/27 dev enp1s0 src 192.168.0.1
ip route add table 1 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2
ip rule add from 192.168.2.2 table 1
ip rule add fwmark 1 table 1
ip route add table 2 default dev ppp0 via 83.1.4.248
ip route add table 2 192.168.2.0/24 dev enp5s0 src 192.168.2.2
ip route add table 2 83.1.4.248/32 dev ppp0 src 83.23.86.188
ip route add table 2 192.168.0.0/27 dev enp1s0 src 192.168.0.1
ip route add table 2 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2
ip rule add from 83.23.86.188 table 2
ip rule add fwmark 2 table 2
## Including rules from /etc/balance/routes/01.local_routes ##
# enter any routing commands you might want to go in
# for example:
# ip route add 192.168.100.1 dev eth0 src 198.162.1.14
## Finished /etc/balance/routes/01.local_routes ##
## Including rules from /etc/balance/routes/02.local_routes.pl ##
## Finished /etc/balance/routes/02.local_routes.pl ##
## Including rules from /etc/balance/routes/03.noip.conf ##
ip rule add ipproto UDP dport 7777 table 2
ip rule add to 176.9.5.77 table 2
## Finished /etc/balance/routes/03.noip.conf ##
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -N REJECTPERM
iptables -A REJECTPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "REJECTED: "
iptables -A REJECTPERM -j REJECT --reject-with icmp-net-unreachable
iptables -N DROPGEN
iptables -A DROPGEN -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "GENERAL: "
iptables -A DROPGEN -j DROP
iptables -N DROPINVAL
iptables -A DROPINVAL -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "INVALID: "
iptables -A DROPINVAL -j DROP
iptables -N DROPPERM
iptables -A DROPPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "ACCESS-DENIED: "
iptables -A DROPPERM -j DROP
iptables -N DROPSPOOF
iptables -A DROPSPOOF -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "DROP-SPOOF: "
iptables -A DROPSPOOF -j DROP
iptables -N DROPFLOOD
iptables -A DROPFLOOD -m limit --limit 1/minute -j LOG --log-level 4 --log-prefix "DROP-FLOOD: "
iptables -A DROPFLOOD -j DROP
iptables -N DEBUG
iptables -A DEBUG -j LOG --log-level 3 --log-prefix "DEBUG: "
iptables -t mangle -N MARK-CABLE
iptables -t mangle -A MARK-CABLE -j MARK --set-mark 1
iptables -t mangle -A MARK-CABLE -j CONNMARK --save-mark
iptables -t mangle -N MARK-DSL
iptables -t mangle -A MARK-DSL -j MARK --set-mark 2
iptables -t mangle -A MARK-DSL -j CONNMARK --save-mark
iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate NEW -m statistic --mode random --probability 1 -j MARK-DSL
iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate NEW -m statistic --mode random --probability 0.5 -j MARK-CABLE
iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate NEW -m statistic --mode random --probability 1 -j MARK-DSL
iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate NEW -m statistic --mode random --probability 0.5 -j MARK-CABLE
iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i enp5s0 -m conntrack --ctstate NEW -j MARK-CABLE
iptables -t mangle -A PREROUTING -i enp5s0 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i ppp0 -m conntrack --ctstate NEW -j MARK-DSL
iptables -t mangle -A PREROUTING -i ppp0 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j DROPPERM
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROPFLOOD
iptables -A INPUT -i enp1s0 -s 192.168.0.0/27 -j ACCEPT
iptables -A OUTPUT -o enp1s0 -d 192.168.0.0/27 -j ACCEPT
iptables -A OUTPUT -o enp1s0 -d 255.255.255.255/32 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.0/27 -j ACCEPT
iptables -A INPUT -i enp6s0.2 -s 192.168.1.0/30 -j ACCEPT
iptables -A OUTPUT -o enp6s0.2 -d 192.168.1.0/30 -j ACCEPT
iptables -A OUTPUT -o enp6s0.2 -d 255.255.255.255/32 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.1.0/30 -j ACCEPT
iptables -A OUTPUT -o enp5s0 -j ACCEPT
iptables -A OUTPUT -o ppp0 -j ACCEPT
iptables -A OUTPUT -o wg0 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o enp5s0 -s 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o ppp0 -s 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -i enp6s0.2 -o enp5s0 -s 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -i enp6s0.2 -o ppp0 -s 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o enp6s0.2 -s 192.168.0.0/27 -d 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -i enp6s0.2 -o enp1s0 -s 192.168.1.0/30 -d 192.168.0.0/27 -j ACCEPT
iptables -A OUTPUT -j DROPSPOOF
iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
## Including rules from /etc/balance/firewall/01.accept ##
## This file contains iptables statements that add additional firewall rules
# allow incoming domain packets -- needed for DNS resolution
iptables -A INPUT -p udp --source-port domain -j ACCEPT
# allow incoming NTP packets -- needed for net time protocol
iptables -A INPUT -p udp --source-port ntp -j ACCEPT
## Finished /etc/balance/firewall/01.accept ##
## Including rules from /etc/balance/firewall/01.accept.pl ##
iptables -A INPUT -p tcp -s 192.168.0.0/27 --syn --dport ssh -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.0/30 --syn --dport ssh -j ACCEPT
## Finished /etc/balance/firewall/01.accept.pl ##
## Including rules from /etc/balance/firewall/02.forward.pl ##
iptables -A FORWARD -p udp --source-port domain -d 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -p udp --source-port ntp -d 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -p udp --source-port domain -d 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -p udp --source-port ntp -d 192.168.1.0/30 -j ACCEPT
## Finished /etc/balance/firewall/02.forward.pl ##
## Including rules from /etc/balance/firewall/04.webserver.conf ##
iptables -A INPUT -p tcp --syn --dport 8885 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 18081 -j ACCEPT
## Finished /etc/balance/firewall/04.webserver.conf ##
## Including rules from /etc/balance/firewall/99.vpn.pl ##
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT -i wg0 -j ACCEPT
iptables -I OUTPUT -o wg0 -j ACCEPT
iptables -I FORWARD -i wg0 -o enp1s0 -j ACCEPT
iptables -I FORWARD -o wg0 -i enp1s0 -j ACCEPT
iptables -I FORWARD -i wg0 -o enp6s0.2 -j ACCEPT
iptables -I FORWARD -o wg0 -i enp6s0.2 -j ACCEPT
## Finished /etc/balance/firewall/99.vpn.pl ##
echo 1 > /proc/sys/net/ipv4/ip_forward
## Including rules from /etc/balance/post-run/post-run-script.pl ##
## Finished /etc/balance/post-run/post-run-script.pl ##
lsm process killed
Starting lsm link status monitoring daemon
|
|
|
Back to top |
|
|
mustang01 n00b
Joined: 19 Aug 2019 Posts: 42
|
Posted: Fri Oct 11, 2019 11:49 am Post subject: |
|
|
I created a script in the / etc / balance / post-run directory containing:
Code: | iptables -D INPUT -p icmp --icmp-type echo-request -j DROPFLOOD
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | .
Pings are working thank you for helping the script author. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|