From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Problems with Core 70 and OpenVPN N2N
Date: Fri, 12 Jul 2013 13:24:23 +0200 [thread overview]
Message-ID: <1373628263.15464.164.camel@rice-oxley.tremer.info> (raw)
In-Reply-To: <C6477DCC-8A6B-4F27-8D90-50799C690DB2@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 14207 bytes --]
See? Firewall rules are fine.
On Fri, 2013-07-12 at 11:04 +0200, Erik K. wrote:
> Hi Michael,
> here are the ovpn chains
>
> Chain OVPNFORWARD (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain OVPNINPUT (1 references)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell
> ACCEPT all -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp dpt:5329
>
> Chain OVPN_BLUE_FORWARD (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain OVPN_BLUE_INPUT (1 references)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell
> ACCEPT all -- anywhere anywhere
>
> and the rest of iptables -L
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> BADTCP all -- anywhere anywhere
> CUSTOMINPUT all -- anywhere anywhere
> GUARDIAN all -- anywhere anywhere
> IPTVINPUT all -- anywhere anywhere
> GUIINPUT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> IPSECINPUT all -- anywhere anywhere
> OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL INPUT */
> ACCEPT all -- anywhere anywhere state NEW
> DROP all -- 127.0.0.0/8 anywhere state NEW
> DROP all -- anywhere 127.0.0.0/8 state NEW
> ACCEPT !icmp -- anywhere anywhere state NEW
> DHCPBLUEINPUT all -- anywhere anywhere
> OVPNINPUT all -- anywhere anywhere
> OVPN_BLUE_INPUT all -- anywhere anywhere
> OPENSSLPHYSICAL all -- anywhere anywhere
> WIRELESSINPUT all -- anywhere anywhere state NEW
> REDINPUT all -- anywhere anywhere
> XTACCESS all -- anywhere anywhere state NEW
> LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_INPUT "
> DROP all -- anywhere anywhere /* DROP_INPUT */
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> BADTCP all -- anywhere anywhere
> TCPMSS tcp -- anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
> GUARDIAN all -- anywhere anywhere
> CUSTOMFORWARD all -- anywhere anywhere
> IPTVFORWARD all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> IPSECFORWARD all -- anywhere anywhere
> OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL FORWARD */
> OUTGOINGFWMAC all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state NEW
> DROP all -- 127.0.0.0/8 anywhere state NEW
> OVPNFORWARD all -- anywhere anywhere
> OVPN_BLUE_FORWARD all -- anywhere anywhere
> DROP all -- anywhere 127.0.0.0/8 state NEW
> ACCEPT all -- anywhere anywhere state NEW
> ACCEPT all -- anywhere anywhere state NEW
> WIRELESSFORWARD all -- anywhere anywhere state NEW
> REDFORWARD all -- anywhere anywhere
> DMZHOLES all -- anywhere anywhere state NEW
> PORTFWACCESS all -- anywhere anywhere state NEW
> UPNPFW all -- anywhere anywhere state NEW
> LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_OUTPUT "
> DROP all -- anywhere anywhere /* DROP_OUTPUT */
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> CUSTOMOUTPUT all -- anywhere anywhere
> OUTGOINGFW all -- anywhere anywhere
> IPSECOUTPUT all -- anywhere anywhere
>
> Chain BADTCP (2 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
> PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
> PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE
> PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN
> PSCAN tcp -- anywhere anywhere tcpflags: SYN,RST/SYN,RST
> PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN/FIN,SYN
> NEWNOTSYN tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW
>
> Chain CUSTOMFORWARD (1 references)
> target prot opt source destination
> ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn
>
> Chain CUSTOMINPUT (1 references)
> target prot opt source destination
> ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp
> ACCEPT tcp -- 192.168.110.3 ipfire-bbach.local tcp dpt:snpp
> ACCEPT tcp -- 10.1.2.2 ipfire-bbach.local tcp dpt:snpp
> ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp
> REJECT tcp -- anywhere ipfire-bbach.local tcp dpt:snpp reject-with icmp-port-unreachable
> ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn
> DROP all -- anywhere 192.168.220.255
> DROP all -- anywhere all-systems.mcast.net
> DROP all -- anywhere 192.168.2.255
>
> Chain CUSTOMOUTPUT (1 references)
> target prot opt source destination
>
> Chain DHCPBLUEINPUT (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps
> ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
>
> Chain DMZHOLES (2 references)
> target prot opt source destination
>
> Chain GUARDIAN (2 references)
> target prot opt source destination
>
> Chain GUIINPUT (1 references)
> target prot opt source destination
> ACCEPT icmp -- anywhere anywhere icmp echo-request
>
> Chain IPSECFORWARD (1 references)
> target prot opt source destination
>
> Chain IPSECINPUT (1 references)
> target prot opt source destination
>
> Chain IPSECOUTPUT (1 references)
> target prot opt source destination
>
> Chain IPTVFORWARD (1 references)
> target prot opt source destination
>
> Chain IPTVINPUT (1 references)
> target prot opt source destination
>
> Chain LOG_DROP (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning
> DROP all -- anywhere anywhere
>
> Chain LOG_REJECT (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning
> REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
>
> Chain NEWNOTSYN (1 references)
> target prot opt source destination
> LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_NEWNOTSYN "
> DROP all -- anywhere anywhere /* DROP_NEWNOTSYN */
>
> Chain OPENSSLPHYSICAL (1 references)
> target prot opt source destination
>
> Chain OPENSSLVIRTUAL (2 references)
> target prot opt source destination
>
> Chain OUTGOINGFW (1 references)
> target prot opt source destination
>
> Chain OUTGOINGFWMAC (1 references)
> target prot opt source destination
>
>
> Chain PORTFWACCESS (1 references)
> target prot opt source destination
>
> Chain PSCAN (5 references)
> target prot opt source destination
> LOG tcp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_TCP PScan */ LOG level warning prefix "DROP_TCP Scan "
> LOG udp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_UDP PScan */ LOG level warning prefix "DROP_UDP Scan "
> LOG icmp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_ICMP PScan */ LOG level warning prefix "DROP_ICMP Scan "
> LOG all -f anywhere anywhere limit: avg 10/min burst 5 /* DROP_FRAG PScan */ LOG level warning prefix "DROP_FRAG Scan "
> DROP all -- anywhere anywhere /* DROP_PScan */
>
> Chain REDFORWARD (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain REDINPUT (1 references)
> target prot opt source destination
>
> Chain UPNPFW (1 references)
> target prot opt source destination
>
> Chain WIRELESSFORWARD (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B
> DMZHOLES all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B
> LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessforward"
> DROP all -- anywhere anywhere /* DROP_Wirelessforward */
>
> Chain WIRELESSINPUT (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B
> LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessinput"
> DROP all -- anywhere anywhere /* DROP_Wirelessinput */
>
> Chain XTACCESS (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere 192.168.2.2 tcp dpt:ident
>
>
> Erik
>
>
> Am 12.07.2013 um 00:06 schrieb Michael Tremer:
>
> > Could you provide the iptables ruleset that is loaded?
> >
> > This should not be caused by the latest NAT changes in core update 70.
> > But that's just a wild guess.
> >
> > -Michael
> >
> > On Thu, 2013-07-11 at 20:33 +0200, Erik K. wrote:
> >> Hi all,
> >> have tried today Core 70 and OpenVPN N2N and i have had problems to establish the connection.
> >>
> >> The infrastructure:
> >>
> >> IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> (local) IPFire
> >>
> >> So both sides with double NAT. The log messages gives me the following back
> >>
> >> Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329
> >> Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server->server connection attempted from 192.168.20.2:5329
> >> Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system call (code=4)
> >> have never seen this message (in the middle) before...
> >>
> >> So i looked to the configuration file on the TLS-client where the "Remote Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the remote IP (in versions before Core 70 this was not necessary) and the following log output was stated.
> >>
> >> Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=V4): '9e986809'
> >> Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.xx:5329
> >> Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-restart), restarting
> >>
> >>
> >> Looks like a closed firewall. Portforwarding from both upstream routers to IPFire was made, outgoing FW was in mode 0 .
> >>
> >> May some one have an idea what´s causing this problem ?
> >>
> >>
> >> Greetings
> >>
> >>
> >> Erik
> >>
> >>
> >> _______________________________________________
> >> Development mailing list
> >> Development(a)lists.ipfire.org
> >> http://lists.ipfire.org/mailman/listinfo/development
> >
> >
> > _______________________________________________
> > Development mailing list
> > Development(a)lists.ipfire.org
> > http://lists.ipfire.org/mailman/listinfo/development
>
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
prev parent reply other threads:[~2013-07-12 11:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-11 18:33 Erik K.
2013-07-11 22:06 ` Michael Tremer
2013-07-12 9:04 ` Erik K.
2013-07-12 11:24 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1373628263.15464.164.camel@rice-oxley.tremer.info \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox