[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

iptables, routing problems

Hi all,

I've got a networking issue that's confusing me.

When I try to ssh out, I can see the packets being accepted by the rule
in the OUTPUT chain, but I can't see them with TCPDUMP. Nothing is
hitting the rules in the nat POSTROUTING chain, either.

I can see from the ACCEPT rule (in the iptables output) that the packet
is going through the interface I expect (enp4s0.1441)

Any ideas? I suspect it's something silly I've just failed to spot ...

Note that yesterday, when I was on site, I wasn't trying this, but had
similar problems with traffic going out - dns packets were being
accepted, but not hitting the postrouting snat rule. Today, I can't get
to the machine I was testing from, which is how I found the current problem.

In both cases, ping works - I can ping the machine I'm trying to ssh to
(10.144.1.10), and yesterday I could ping the dns server (8.8.8.8 for
test purposes)

Background and other info:

The system is (supposed to be) a router, based on an old (atom-based) HP
thin client connected to a VLAN switch. It's running buster.

I've built routers before, but not using VLANs and not (I think) on buster.

I'm using iptables-legacy (because I'm relatively familiar with it).

Other oddities are:

- it's running OpenVPN (which is working; that's how I'm connecting to
it today)
- there's an odd route I've added to allow talking to bits of my home
LAN, despite the external interface of this router being on the same
address range (too many people choose 192.168.1.0/24)

Here's the routing table:
------------8<--------------------
richard@svrouter:~$ sudo ip route
default via 192.168.1.1 dev enp4s0.1 onlink
10.144.1.0/24 dev enp4s0.1441 proto kernel scope link src 10.144.1.1
10.144.2.0/24 dev enp4s0.1442 proto kernel scope link src 10.144.2.1
192.168.1.0/24 dev enp4s0.1 proto kernel scope link src 192.168.1.15
192.168.1.96/27 via 192.168.94.1 dev tun0
192.168.94.0/24 dev tun0 proto kernel scope link src 192.168.94.10
------------8<--------------------

/etc/network/interfaces:
------------8<--------------------
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# # The primary network interface
# auto enp4s0
# iface enp4s0 inet dhcp

auto enp4s0.1
iface enp4s0.1 inet static
  address 192.168.1.15/24
  gateway 192.168.1.1

auto enp4s0.1441
iface enp4s0.1441 inet static
  address 10.144.1.1/24

auto enp4s0.1442
iface enp4s0.1442 inet static
  address 10.144.2.1/24
------------8<--------------------
(interfaces.d is empty)

iptables -vnL:
------------8<--------------------
Chain INPUT (policy ACCEPT 26 packets, 8528 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp spt:22 LOG flags 0 level 4
 1109 99188 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT 25 packets, 1750 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     tcp  --  enp4s0.1 enp4s0.1441  0.0.0.0/0
  0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  enp4s0.1441 enp4s0.1  0.0.0.0/0
  0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  enp4s0.1441 enp4s0.1  0.0.0.0/0
  0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     tcp  --  enp4s0.1441 enp4s0.1  0.0.0.0/0
  0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  enp4s0.1441 enp4s0.1  0.0.0.0/0
  0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     tcp  --  enp4s0.1441 enp4s0.1  0.0.0.0/0
  0.0.0.0/0            tcp dpt:587
  676 46636 LOG        udp  --  enp4s0.1441 enp4s0.1  0.0.0.0/0
  0.0.0.0/0            udp dpt:53 LOG flags 0 level 4 prefix "PRE-ACCEPT "
  676 46636 ACCEPT     udp  --  enp4s0.1441 enp4s0.1  0.0.0.0/0
  0.0.0.0/0            udp dpt:53
   25  1750 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0            LOG flags 0 level 4 prefix "FWD "

Chain OUTPUT (policy ACCEPT 53 packets, 3180 bytes)
 pkts bytes target     prot opt in     out     source
destination
  731  128K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
203.118.153.20       udp spt:1194 dpt:1194
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:53
    1    76 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:587
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:443
   14   840 LOG        tcp  --  *      *       0.0.0.0/0
10.144.1.0/24        tcp dpt:22 LOG flags 0 level 4 prefix "OUT PRE-ACCEPT "
   14   840 ACCEPT     tcp  --  *      enp4s0.1441  0.0.0.0/0
10.144.1.0/24        tcp dpt:22
    0     0 ACCEPT     tcp  --  *      enp4s0.1  0.0.0.0/0
10.144.1.0/24        tcp dpt:22
    0     0 LOG        tcp  --  *      *       0.0.0.0/0
10.144.1.0/24        tcp dpt:22 LOG flags 0 level 4
------------8<-------------------
richard@svrouter:~$ cat /proc/sys/net/ipv4/ip_forward
1

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: