Gentoo Forums :: View topic

dual wan

View unanswered posts
View posts from last 24 hours

Gentoo Forums Forum Index

Networking & Security

View previous topic :: View next topic

Author

Message

mustang01
n00b
n00b

Joined: 19 Aug 2019
Posts: 42

Posted: Sat Sep 14, 2019 1:27 pm Post subject: dual wan

[Moderator note: this post, and only this post, was originally attached to the Documentation, Tips, & Tricks topic HOWTO setup dual wan, but it is a support request, not documentation or a correction to that post. -Hu]

Hello, I am trying to set up a dual wan in my network.
I have two routers on 192.168.1.1/30 and 192.168.2.1/30. My ip address is 192.168.1.2 and 192.168.2.2. The lan address is 192.168.0.1/27. When I run the firewall script I get an error.
Script:

Code:

#!/bin/bash

#tools
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"

###interfaces
WAN0="enp6s0"; WAN0_IP="192.168.1.2"
WAN1="enp5s0"; WAN1_IP="192.168.2.2"
LAN="enp1s0"

###clearing iptables
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IP6TABLES -F
$IP6TABLES -t mangle -F
$IP6TABLES -X
$IP6TABLES -t mangle -X
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT ACCEPT
$IP6TABLES -P FORWARD DROP

###nat
$IPTABLES -t nat -A POSTROUTING -o $WAN0 -j SNAT --to-source $WAN0_IP
$IPTABLES -t nat -A POSTROUTING -o $WAN1 -j SNAT --to-source $WAN1_IP

###mangle (used for load balancing)
$IPTABLES -t mangle -A POSTROUTING -o $WAN0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100
$IPTABLES -t mangle -A POSTROUTING -o $WAN1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x101
$IPTABLES -t mangle -A PREROUTING -i $WAN0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $WAN1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x101
$IPTABLES -t mangle -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
$IPTABLES -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

###must have rules
$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 -j ACCEPT
$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

###internet access
$IPTABLES -A FORWARD -i $LAN -o $WAN0 ! -d 192.168.0.0/16 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -o $WAN1 ! -d 192.168.0.0/16 -j ACCEPT

###default reject
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A FORWARD -j REJECT
$IP6TABLES -A INPUT -j REJECT
$IP6TABLES -A FORWARD -j REJECT

Error:

Code:

iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.

Please
help me.

Hu
Moderator

Joined: 06 Mar 2007
Posts: 21607

Posted: Sat Sep 14, 2019 3:54 pm Post subject: Re: dual wan

mustang01 wrote:

When I run the firewall script I get an error.

You should not use a script to set iptables rules. You should use iptables-restore. By using a script, you allow failures to leave your firewall in an inconsistent state.

mustang01 wrote:

Code:

#!/bin/bash

Your script is missing set -e. Under the circumstances, you may want to place that after the firewall is placed in a fail-secure state.

mustang01 wrote:

Code:

WAN0="enp6s0"; WAN0_IP="192.168.1.2"
WAN1="enp5s0"; WAN1_IP="192.168.2.2"

I hope these are placeholder addresses for the purpose of the post. Those are still private IP addresses, and are unlikely to be real WAN addresses.

mustang01 wrote:

Code:

###mangle (used for load balancing)
$IPTABLES -t mangle -A POSTROUTING -o $WAN0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100
$IPTABLES -t mangle -A POSTROUTING -o $WAN1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x101
$IPTABLES -t mangle -A PREROUTING -i $WAN0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $WAN1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x101
$IPTABLES -t mangle -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
$IPTABLES -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

Where do you read these marks? I do not see any uses of -m connmark.

mustang01 wrote:

Code:

###default reject
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A FORWARD -j REJECT
$IP6TABLES -A INPUT -j REJECT
$IP6TABLES -A FORWARD -j REJECT

Do you really want REJECT for disallowed traffic coming in from the Internet? You originally set a policy of DROP, but this REJECT preempts that.

mustang01 wrote:

Error:

Code:

Please
help me.

Which statements fail? set -e would have stopped it on the first failure. iptables-restore would tell you which line failed. You could also use set -x to make bash print statements as it goes, so that the offending statement will be shown immediately preceding the error message.

mustang01
n00b
n00b

Joined: 19 Aug 2019
Posts: 42

Posted: Sat Sep 14, 2019 5:48 pm Post subject: Re: dual wan

https://forums.gentoo.org/viewtopic-p-7411172.html

Quote:

WAN0="enp6s0"; WAN0_IP="192.168.1.2"
WAN1="enp5s0"; WAN1_IP="192.168.2.2"

These are the IP addresses of my network cards. On the first router (192.168.1.1) gets a dynamic public ip address. The other router (192.168.2.1) is in the LTE network without a public ip address.
I copied this script from https://forums.gentoo.org/viewtopic-p-7411172.html and I was surprised it didn't work. I don't know iptables. I copied previous iptablets rules from https://wiki.gentoo.org/wiki/Home_router and it worked.
Can you write me new iptables rules?

PS. I used this program -> https://github.com/lstein/Net-ISP-Balance and the matter is done.

mustang01
n00b
n00b

Joined: 19 Aug 2019
Posts: 42

Posted: Sun Oct 06, 2019 2:29 pm Post subject: Access web server on VPN client through VPN server public IP

Hello, I have a problem setting the vpn tunnel from a home gentoo router to a VPS server from archlinux. On gentoo, I have a dual wan with a vdsl (dynamic ip) connection with a modem under pppoe and an LTE router (no public ip, blocked ports). I'd like to set up an LTE connection to a VPS server on archlinux and unblock blocked ports for a gentoo webserver.
I would like to use the wireguard application because it is the fastest vpn tunnel I know. I use the Net-ISP-Balance script to set up a dualwan connection -> https://lstein.github.io/Net-ISP-Balance/.
I used the script on arch linux from https://github.com/angristan/wireguard-install to install and configure the wireguard.
I have a problem configuring the VPN connection, after establishing the connection I cannot browse www. Please help.

Gentoo configuration files(Home Router).

# cat /etc/conf.d/net

Code:

config_enp1s0="192.168.0.1/27"

config_enp5s0="192.168.2.2/24"
routes_enp5s0="default via 192.168.2.1"
dns_servers_enp5s0="185.89.185.1 89.108.195.20"

vlans_enp6s0="2"
config_enp6s0="null"
config_enp6s0_2="192.168.1.2/30"

config_ppp0="ppp"
link_ppp0="enp6s0"
plugins_ppp0="pppoe"
username_ppp0='*******@neostrada.pl'
password_ppp0='*******'
pppd_ppp0="
noauth
defaultroute
usepeerdns
mtu 1492
holdoff 3
child-timeout 60
lcp-echo-interval 15
lcp-echo-failure 3
noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp"
rc_net_ppp0_need="net.enp6s0"

#cat /etc/balance.conf

Code:

## Net::ISP::Balance configuration file
## edit it as needed to describe your router setup

## This table defines the LAN and IP services.
## Uncomment by removing hash symbols (#) and then edit as needed

## service device role ping-ip weight gateway
CABLE enp5s0 isp 172.217.20.163 1 default
DSL ppp0 isp 172.217.20.163 1 default
LAN1 enp1s0 lan
LAN2 enp6s0.2 lan

# The mode controls whether to operate in "balanced" mode in which traffic
# is distributed among the isp services proportional to the weights, or "failover"
# mode in which all traffic is routed through the highest weighted service and
# switches to lower-weighted services only when the higher one(s) are unavailable.
mode=balanced
#mode=failover

## The "forwarding_group" option gives you fine control over how
## packets are forwarded. See the online docs for details. :lan
## means all interfaces marked as "lan" :isp means all interfaces
## marked as "isp" the default (shown below) allows forwarding among
## all lan and isp interfaces

forwarding_group=:lan :isp

## The "mode" option, if present, selects which mode Net-ISP-Balance runs
## in. The choices are "balanced" and "failover".
##
## In "balanced" mode (the default) each interface marked as an ISP
## will be used to balance outgoing and incoming packets. If one goes
## down, the other(s) will be used as failover services. The "weight"
## column in the table above is used to prioritize how packets are
## balanced across the (running) interfaces.
##
## In "failover" mode, only one ISP will be used at a time. The others
## will be used as backups if the primary interface fails. In this case
## the weight is used to select which interface is currently active, with
## the currently running interface with the highest weight being selected.

## These options are passed to lsm, among others.
## the defaults are shown. To change them, uncomment
## and edit.

warn_email=lukasz.mustang@gmail.com
interval_ms=1000
max_packet_loss=15
max_successive_pkts_lost=7
min_packet_loss=5
min_successive_pkts_rcvd=10
#long_down_time=120

#sudo load_balance.pl -d

Code:

echo 0 > /proc/sys/net/ipv4/ip_forward
## Including rules from /etc/balance/pre-run/pre-run-script.pl ##
## Finished /etc/balance/pre-run/pre-run-script.pl ##
ip route flush all
ip rule flush
ip rule add from all lookup main pref 32766
ip rule add from all lookup default pref 32767
ip route flush table 1
ip route flush table 2
ip route add 192.168.2.0/24 dev enp5s0 src 192.168.2.2
ip route add 83.1.4.248/32 dev ppp0 src 83.21.137.153
ip route add 192.168.0.0/27 dev enp1s0 src 192.168.0.1
ip route add 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2
ip route add default scope global nexthop via 192.168.2.1 dev enp5s0 weight 1 nexthop via 83.1.4.248 dev ppp0 weight 1
ip route add table 1 default dev enp5s0 via 192.168.2.1
ip route add table 1 192.168.2.0/24 dev enp5s0 src 192.168.2.2
ip route add table 1 83.1.4.248/32 dev ppp0 src 83.21.137.153
ip route add table 1 192.168.0.0/27 dev enp1s0 src 192.168.0.1
ip route add table 1 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2
ip rule add from 192.168.2.2 table 1
ip rule add fwmark 1 table 1
ip route add table 2 default dev ppp0 via 83.1.4.248
ip route add table 2 192.168.2.0/24 dev enp5s0 src 192.168.2.2
ip route add table 2 83.1.4.248/32 dev ppp0 src 83.21.137.153
ip route add table 2 192.168.0.0/27 dev enp1s0 src 192.168.0.1
ip route add table 2 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2
ip rule add from 83.21.137.153 table 2
ip rule add fwmark 2 table 2
## Including rules from /etc/balance/routes/01.local_routes ##
# enter any routing commands you might want to go in
# for example:
# ip route add 192.168.100.1 dev eth0 src 198.162.1.14

## Finished /etc/balance/routes/01.local_routes ##
## Including rules from /etc/balance/routes/02.local_routes.pl ##
## Finished /etc/balance/routes/02.local_routes.pl ##
## Including rules from /etc/balance/routes/03.noip.conf ##
ip rule add ipproto UDP dport 7777 table 2
ip rule add to 176.9.5.77 table 2
## Finished /etc/balance/routes/03.noip.conf ##
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -N REJECTPERM
iptables -A REJECTPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "REJECTED: "
iptables -A REJECTPERM -j REJECT --reject-with icmp-net-unreachable

iptables -N DROPGEN
iptables -A DROPGEN -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "GENERAL: "
iptables -A DROPGEN -j DROP

iptables -N DROPINVAL
iptables -A DROPINVAL -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "INVALID: "
iptables -A DROPINVAL -j DROP

iptables -N DROPPERM
iptables -A DROPPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "ACCESS-DENIED: "
iptables -A DROPPERM -j DROP

iptables -N DROPSPOOF
iptables -A DROPSPOOF -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "DROP-SPOOF: "
iptables -A DROPSPOOF -j DROP

iptables -N DROPFLOOD
iptables -A DROPFLOOD -m limit --limit 1/minute -j LOG --log-level 4 --log-prefix "DROP-FLOOD: "
iptables -A DROPFLOOD -j DROP

iptables -N DEBUG
iptables -A DEBUG -j LOG --log-level 3 --log-prefix "DEBUG: "
iptables -t mangle -N MARK-CABLE
iptables -t mangle -A MARK-CABLE -j MARK --set-mark 1
iptables -t mangle -A MARK-CABLE -j CONNMARK --save-mark
iptables -t mangle -N MARK-DSL
iptables -t mangle -A MARK-DSL -j MARK --set-mark 2
iptables -t mangle -A MARK-DSL -j CONNMARK --save-mark
iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate NEW -m statistic --mode random --probability 1 -j MARK-DSL
iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate NEW -m statistic --mode random --probability 0.5 -j MARK-CABLE
iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate NEW -m statistic --mode random --probability 1 -j MARK-DSL
iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate NEW -m statistic --mode random --probability 0.5 -j MARK-CABLE
iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i enp5s0 -m conntrack --ctstate NEW -j MARK-CABLE
iptables -t mangle -A PREROUTING -i enp5s0 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i ppp0 -m conntrack --ctstate NEW -j MARK-DSL
iptables -t mangle -A PREROUTING -i ppp0 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j DROPPERM
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROPFLOOD
iptables -A INPUT -i enp1s0 -s 192.168.0.0/27 -j ACCEPT
iptables -A OUTPUT -o enp1s0 -d 192.168.0.0/27 -j ACCEPT
iptables -A OUTPUT -o enp1s0 -d 255.255.255.255/32 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.0/27 -j ACCEPT
iptables -A INPUT -i enp6s0.2 -s 192.168.1.0/30 -j ACCEPT
iptables -A OUTPUT -o enp6s0.2 -d 192.168.1.0/30 -j ACCEPT
iptables -A OUTPUT -o enp6s0.2 -d 255.255.255.255/32 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.1.0/30 -j ACCEPT
iptables -A OUTPUT -o enp5s0 -j ACCEPT
iptables -A OUTPUT -o ppp0 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o enp5s0 -s 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o ppp0 -s 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -i enp6s0.2 -o enp5s0 -s 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -i enp6s0.2 -o ppp0 -s 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o enp6s0.2 -s 192.168.0.0/27 -d 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -i enp6s0.2 -o enp1s0 -s 192.168.1.0/30 -d 192.168.0.0/27 -j ACCEPT
iptables -A OUTPUT -j DROPSPOOF
iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
## Including rules from /etc/balance/firewall/01.accept ##
## This file contains iptables statements that add additional firewall rules

# allow incoming domain packets -- needed for DNS resolution
iptables -A INPUT -p udp --source-port domain -j ACCEPT
# allow incoming NTP packets -- needed for net time protocol
iptables -A INPUT -p udp --source-port ntp -j ACCEPT
## Finished /etc/balance/firewall/01.accept ##
## Including rules from /etc/balance/firewall/01.accept.pl ##
iptables -A INPUT -p tcp -s 192.168.0.0/27 --syn --dport ssh -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.0/30 --syn --dport ssh -j ACCEPT
## Finished /etc/balance/firewall/01.accept.pl ##
## Including rules from /etc/balance/firewall/02.forward.pl ##
iptables -A FORWARD -p udp --source-port domain -d 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -p udp --source-port ntp -d 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -p udp --source-port domain -d 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -p udp --source-port ntp -d 192.168.1.0/30 -j ACCEPT
## Finished /etc/balance/firewall/02.forward.pl ##
## Including rules from /etc/balance/firewall/04.webserver.conf ##
iptables -A INPUT -p tcp --syn --dport 8885 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 18081 -j ACCEPT
## Finished /etc/balance/firewall/04.webserver.conf ##
echo 1 > /proc/sys/net/ipv4/ip_forward
## Including rules from /etc/balance/post-run/post-run-script.pl ##
## Finished /etc/balance/post-run/post-run-script.pl ##
lsm process killed
Starting lsm link status monitoring daemon

#ifconfig

Code:

enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 255.255.255.224 broadcast 192.168.0.31
inet6 fe80::523e:aaff:fe02:d989 prefixlen 64 scopeid 0x20<link>
ether 50:3e:aa:02:d9:89 txqueuelen 1000 (Ethernet)
RX packets 876523 bytes 110763076 (105.6 MiB)
RX errors 0 dropped 56347 overruns 0 frame 0
TX packets 1475342 bytes 1856439602 (1.7 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

enp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.2 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::12bf:48ff:fe4d:2685 prefixlen 64 scopeid 0x20<link>
ether 10:bf:48:4d:26:85 txqueuelen 1000 (Ethernet)
RX packets 677118 bytes 793192929 (756.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 330002 bytes 36277871 (34.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17 memory 0xf7a00000-f7a20000

enp6s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::12bf:48ff:fe4d:243d prefixlen 64 scopeid 0x20<link>
ether 10:bf:48:4d:24:3d txqueuelen 1000 (Ethernet)
RX packets 870456 bytes 1114483756 (1.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 527544 bytes 64500032 (61.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 18 memory 0xf7900000-f7920000

enp6s0.2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.2 netmask 255.255.255.252 broadcast 192.168.1.3
inet6 fe80::12bf:48ff:fe4d:243d prefixlen 64 scopeid 0x20<link>
ether 10:bf:48:4d:24:3d txqueuelen 1000 (Ethernet)
RX packets 1 bytes 42 (42.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1830 bytes 374900 (366.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 118283 bytes 32662516 (31.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 118283 bytes 32662516 (31.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1492
inet 83.21.137.153 netmask 255.255.255.255 destination 83.1.4.248
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 864803 bytes 1091641285 (1.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 520044 bytes 50226273 (47.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

# cat /etc/wireguard/wg0-client.conf

Code:

[Interface]
PrivateKey = +BQDgkcjvjic3XYHeiDxthuwyep+UA7arnByYpbvxV0=
Address = 10.66.66.2/24,fd42:42:42::2/64
DNS = 176.103.130.130,176.103.130.131
[Peer]
PublicKey = 9WebKmUim9bgZCoMCqGeKpEU+0l1yehGuWsYqUyp+Hk=
Endpoint = 51.38.131.234:1194
AllowedIPs = 0.0.0.0/0
PresharedKey = /J1j0uj8ka/Wen/qgFhBP4ii13PpWglsY5TFBfZrZ4c=

Archlinux configuration files (VPS server).

# ifconfig

Code:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 51.38.131.234 netmask 255.255.255.255 broadcast 0.0.0.0
inet6 fe80::f816:3eff:fe26:17c2 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:26:17:c2 txqueuelen 1000 (Ethernet)
RX packets 123692 bytes 13733337 (13.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 131469 bytes 20185711 (19.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 15 bytes 1456 (1.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15 bytes 1456 (1.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.66.66.1 netmask 255.255.255.0 destination 10.66.66.1
inet6 fd42:42:42::1 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 357 bytes 17804 (17.3 KiB)
RX errors 233 dropped 0 overruns 0 frame 233
TX packets 86 bytes 6244 (6.0 KiB)
TX errors 7 dropped 0 overruns 0 carrier 0 collisions 0

# cat /etc/wireguard/wg0.conf

Code:

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 1194
PrivateKey = IJTTRAA7yHuiT4dCco7LgVCMpxplM43fgBa/LwPjQXg=
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = eq6igMfkwk8oKdpqsQSbGlaOIWIXyqYLi2Q60FK0E00=
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
PresharedKey = 8qYmRTAo+wVKhIzYYyvA+AFqD7oAveGs5LSa8UVA694=

mustang01
n00b
n00b

Joined: 19 Aug 2019
Posts: 42

Posted: Mon Oct 07, 2019 3:45 pm Post subject:

how to unlock ping from wan port?

#sudo iptables -L

Code:

Hasło:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROPPERM all -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,ACK/ACK
DROPFLOOD icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- 192.168.0.0/27 anywhere
ACCEPT all -- 192.168.1.0/30 anywhere
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- 192.168.0.0/27 anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- 192.168.1.0/30 anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:8885 flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:18081 flags:FIN,SYN,RST,ACK/SYN

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,ACK/ACK
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
ACCEPT all -- 192.168.0.0/27 anywhere
ACCEPT all -- 192.168.0.0/27 anywhere
ACCEPT all -- 192.168.1.0/30 anywhere
ACCEPT all -- 192.168.1.0/30 anywhere
ACCEPT all -- 192.168.0.0/27 192.168.1.0/30
ACCEPT all -- 192.168.1.0/30 192.168.0.0/27
ACCEPT udp -- anywhere 192.168.0.0/27 udp spt:domain
ACCEPT udp -- anywhere 192.168.0.0/27 udp spt:ntp
ACCEPT udp -- anywhere 192.168.1.0/30 udp spt:domain
ACCEPT udp -- anywhere 192.168.1.0/30 udp spt:ntp

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.0.0/27
ACCEPT all -- anywhere 255.255.255.255
ACCEPT udp -- 192.168.0.0/27 anywhere
ACCEPT all -- anywhere 192.168.1.0/30
ACCEPT all -- anywhere 255.255.255.255
ACCEPT udp -- 192.168.1.0/30 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROPSPOOF all -- anywhere anywhere

Chain DEBUG (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level error prefix "DEBUG: "

Chain DROPFLOOD (1 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain DROPGEN (0 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain DROPINVAL (0 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain DROPPERM (1 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain DROPSPOOF (1 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain REJECTPERM (0 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-net-unreachable

mustang01
n00b
n00b

Joined: 19 Aug 2019
Posts: 42

Posted: Wed Oct 09, 2019 9:46 am Post subject:

My current configuration. I unblocked 1194 ports for the VPN tunnel. Connection to the Wireguard server is working.

Code:

sudo load_balance.pl -d
echo 0 > /proc/sys/net/ipv4/ip_forward
## Including rules from /etc/balance/pre-run/pre-run-script.pl ##
## Finished /etc/balance/pre-run/pre-run-script.pl ##
ip route flush all
ip rule flush
ip rule add from all lookup main pref 32766
ip rule add from all lookup default pref 32767
ip route flush table 1
ip route flush table 2
ip route add 192.168.2.0/24 dev enp5s0 src 192.168.2.2
ip route add 83.1.4.248/32 dev ppp0 src 83.23.86.188
ip route add 192.168.0.0/27 dev enp1s0 src 192.168.0.1
ip route add 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2
ip route add default scope global nexthop via 83.1.4.248 dev ppp0 weight 1 nexthop via 192.168.2.1 dev enp5s0 weight 1
ip route add table 1 default dev enp5s0 via 192.168.2.1
ip route add table 1 192.168.2.0/24 dev enp5s0 src 192.168.2.2
ip route add table 1 83.1.4.248/32 dev ppp0 src 83.23.86.188
ip route add table 1 192.168.0.0/27 dev enp1s0 src 192.168.0.1
ip route add table 1 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2
ip rule add from 192.168.2.2 table 1
ip rule add fwmark 1 table 1
ip route add table 2 default dev ppp0 via 83.1.4.248
ip route add table 2 192.168.2.0/24 dev enp5s0 src 192.168.2.2
ip route add table 2 83.1.4.248/32 dev ppp0 src 83.23.86.188
ip route add table 2 192.168.0.0/27 dev enp1s0 src 192.168.0.1
ip route add table 2 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2
ip rule add from 83.23.86.188 table 2
ip rule add fwmark 2 table 2
## Including rules from /etc/balance/routes/01.local_routes ##
# enter any routing commands you might want to go in
# for example:
# ip route add 192.168.100.1 dev eth0 src 198.162.1.14

## Finished /etc/balance/routes/01.local_routes ##
## Including rules from /etc/balance/routes/02.local_routes.pl ##
## Finished /etc/balance/routes/02.local_routes.pl ##
## Including rules from /etc/balance/routes/03.noip.conf ##
ip rule add ipproto UDP dport 7777 table 2
ip rule add to 176.9.5.77 table 2
## Finished /etc/balance/routes/03.noip.conf ##
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -N REJECTPERM
iptables -A REJECTPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "REJECTED: "
iptables -A REJECTPERM -j REJECT --reject-with icmp-net-unreachable

iptables -N DROPGEN
iptables -A DROPGEN -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "GENERAL: "
iptables -A DROPGEN -j DROP

iptables -N DROPINVAL
iptables -A DROPINVAL -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "INVALID: "
iptables -A DROPINVAL -j DROP

iptables -N DROPPERM
iptables -A DROPPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "ACCESS-DENIED: "
iptables -A DROPPERM -j DROP

iptables -N DROPSPOOF
iptables -A DROPSPOOF -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "DROP-SPOOF: "
iptables -A DROPSPOOF -j DROP

iptables -N DROPFLOOD
iptables -A DROPFLOOD -m limit --limit 1/minute -j LOG --log-level 4 --log-prefix "DROP-FLOOD: "
iptables -A DROPFLOOD -j DROP

iptables -N DEBUG
iptables -A DEBUG -j LOG --log-level 3 --log-prefix "DEBUG: "
iptables -t mangle -N MARK-CABLE
iptables -t mangle -A MARK-CABLE -j MARK --set-mark 1
iptables -t mangle -A MARK-CABLE -j CONNMARK --save-mark
iptables -t mangle -N MARK-DSL
iptables -t mangle -A MARK-DSL -j MARK --set-mark 2
iptables -t mangle -A MARK-DSL -j CONNMARK --save-mark
iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate NEW -m statistic --mode random --probability 1 -j MARK-DSL
iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate NEW -m statistic --mode random --probability 0.5 -j MARK-CABLE
iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate NEW -m statistic --mode random --probability 1 -j MARK-DSL
iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate NEW -m statistic --mode random --probability 0.5 -j MARK-CABLE
iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i enp5s0 -m conntrack --ctstate NEW -j MARK-CABLE
iptables -t mangle -A PREROUTING -i enp5s0 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i ppp0 -m conntrack --ctstate NEW -j MARK-DSL
iptables -t mangle -A PREROUTING -i ppp0 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j DROPPERM
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROPFLOOD
iptables -A INPUT -i enp1s0 -s 192.168.0.0/27 -j ACCEPT
iptables -A OUTPUT -o enp1s0 -d 192.168.0.0/27 -j ACCEPT
iptables -A OUTPUT -o enp1s0 -d 255.255.255.255/32 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.0/27 -j ACCEPT
iptables -A INPUT -i enp6s0.2 -s 192.168.1.0/30 -j ACCEPT
iptables -A OUTPUT -o enp6s0.2 -d 192.168.1.0/30 -j ACCEPT
iptables -A OUTPUT -o enp6s0.2 -d 255.255.255.255/32 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.1.0/30 -j ACCEPT
iptables -A OUTPUT -o enp5s0 -j ACCEPT
iptables -A OUTPUT -o ppp0 -j ACCEPT
iptables -A OUTPUT -o wg0 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o enp5s0 -s 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o ppp0 -s 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -i enp6s0.2 -o enp5s0 -s 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -i enp6s0.2 -o ppp0 -s 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o enp6s0.2 -s 192.168.0.0/27 -d 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -i enp6s0.2 -o enp1s0 -s 192.168.1.0/30 -d 192.168.0.0/27 -j ACCEPT
iptables -A OUTPUT -j DROPSPOOF
iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
## Including rules from /etc/balance/firewall/01.accept ##
## This file contains iptables statements that add additional firewall rules

# allow incoming domain packets -- needed for DNS resolution
iptables -A INPUT -p udp --source-port domain -j ACCEPT
# allow incoming NTP packets -- needed for net time protocol
iptables -A INPUT -p udp --source-port ntp -j ACCEPT
## Finished /etc/balance/firewall/01.accept ##
## Including rules from /etc/balance/firewall/01.accept.pl ##
iptables -A INPUT -p tcp -s 192.168.0.0/27 --syn --dport ssh -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.0/30 --syn --dport ssh -j ACCEPT
## Finished /etc/balance/firewall/01.accept.pl ##
## Including rules from /etc/balance/firewall/02.forward.pl ##
iptables -A FORWARD -p udp --source-port domain -d 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -p udp --source-port ntp -d 192.168.0.0/27 -j ACCEPT
iptables -A FORWARD -p udp --source-port domain -d 192.168.1.0/30 -j ACCEPT
iptables -A FORWARD -p udp --source-port ntp -d 192.168.1.0/30 -j ACCEPT
## Finished /etc/balance/firewall/02.forward.pl ##
## Including rules from /etc/balance/firewall/04.webserver.conf ##
iptables -A INPUT -p tcp --syn --dport 8885 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 18081 -j ACCEPT
## Finished /etc/balance/firewall/04.webserver.conf ##
## Including rules from /etc/balance/firewall/99.vpn.pl ##
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT -i wg0 -j ACCEPT
iptables -I OUTPUT -o wg0 -j ACCEPT
iptables -I FORWARD -i wg0 -o enp1s0 -j ACCEPT
iptables -I FORWARD -o wg0 -i enp1s0 -j ACCEPT
iptables -I FORWARD -i wg0 -o enp6s0.2 -j ACCEPT
iptables -I FORWARD -o wg0 -i enp6s0.2 -j ACCEPT
## Finished /etc/balance/firewall/99.vpn.pl ##
echo 1 > /proc/sys/net/ipv4/ip_forward
## Including rules from /etc/balance/post-run/post-run-script.pl ##
## Finished /etc/balance/post-run/post-run-script.pl ##
lsm process killed
Starting lsm link status monitoring daemon

mustang01
n00b
n00b

Joined: 19 Aug 2019
Posts: 42

Posted: Fri Oct 11, 2019 11:49 am Post subject:

I created a script in the / etc / balance / post-run directory containing:

Code:

iptables -D INPUT -p icmp --icmp-type echo-request -j DROPFLOOD
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

.

Pings are working thank you for helping the script author.

Display posts from previous:

	Gentoo Forums Forum Index Networking & Security	All times are GMT
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy