Re: network newbie seeks assistance debugging iptables for VPN tunnel

To: debian-user@lists.debian.org,
Cc: Matt Ventura <mattventura@mattventura.net>,
Subject: Re: network newbie seeks assistance debugging iptables for VPN tunnel
From: Tom Roche <Tom_Roche@pobox.com>
Date: Thu, 22 Jan 2015 15:38:22 -0500
Message-id: <[🔎] 87mw5asg8x.fsf@pobox.com>
Reply-to: debian-user@lists.debian.org, Tom Roche <Tom_Roche@pobox.com>
In-reply-to: <[🔎] 54C1485E.2060408@mattventura.net>
References: <[🔎] 54C1485E.2060408@mattventura.net> <[🔎] 54C09651.3070105@mattventura.net> <[🔎] 54BFE8CE.9010302@mattventura.net> <[🔎] 87vbk0rpkj.fsf@pobox.com> <[🔎] 87sif3sts8.fsf@pobox.com> <[🔎] 87ppa6socq.fsf@pobox.com>

Tom Roche Thu, 22 Jan 2015 12:43:17 -0500 [1]
>> summary: Smells like progress! If I'm guessing correctly, the
>> `route` changes imposed by connecting to the F5VPN[2] are
>> conflicting with my server/jumpbox's current `iptables`[3] (through
>> which my client seeks to tunnel[4]). Does that claim seem warranted?
>> If so, how to fix the server firewall?

Matt Ventura Thu, 22 Jan 2015 10:58:38 -0800 [5] (rearranged)
> another option would be to simply run the F5 VPN client on the linode.

Alas, no:

1. Several years ago (when I was first struggling with getting the F5NAP to work directly[6]), I tried to find a headless alternative (e.g., something like a NetworkManager plugin), but was told by F5 that there was no such client for linux (at least, with the make/model of F5VPN that the agency had installed).

2. Several months ago (when linode.com was first recommended to me), I was sternly warned that linodes prefer to be run headless, and that running Firefox on a linode would be expensive and painful, if it worked at all.

> I'm assuming ppp0 is the F5 VPN interface.

Me, too: connecting to the F5VPN[2] creates that interface on the client, and disconnecting from the F5VPN removes it from the client.

> Try deleting the first entry in the routing table after bringing up the F5 VPN (something like 'route del default ppp0' if memory serves)

will check

> and see if it fixes the problem. This will probably break connectivity to the VPN until you restart it, but see if you can access the internet in general.

Will do. I've got an appt, but will be back soonest. Thanks in advance!

Hoping soon to get back to work on my *real* project, Tom Roche <Tom_Roche@pobox.com>

[1]: https://lists.debian.org/debian-user/2015/01/msg00774.html
[2]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt
[3]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt
[4]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution
[5]: https://lists.debian.org/debian-user/2015/01/msg00779.html
[6]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap

Reply to:

References:
- Re: network newbie seeks assistance debugging iptables for VPN tunnel
  - From: Matt Ventura <mattventura@mattventura.net>
- Re: network newbie seeks assistance debugging iptables for VPN tunnel
  - From: Matt Ventura <mattventura@mattventura.net>
- Re: network newbie seeks assistance debugging iptables for VPN tunnel
  - From: Matt Ventura <mattventura@mattventura.net>
- network newbie seeks assistance debugging iptables for VPN tunnel
  - From: Tom Roche <Tom_Roche@pobox.com>
- Re: network newbie seeks assistance debugging iptables for VPN tunnel
  - From: Tom Roche <Tom_Roche@pobox.com>
- Re: network newbie seeks assistance debugging iptables for VPN tunnel
  - From: Tom Roche <Tom_Roche@pobox.com>

Prev by Date: Re: initial Jessie Problems - More
Next by Date: Re: Can't get sound to work
Previous by thread: Re: SIOCDELRT, or: proper syntax to delete default route for an interface?
Next by thread: Re: network newbie seeks assistance debugging iptables for VPN tunnel
Index(es):
- Date
- Thread