See? Firewall rules are fine. On Fri, 2013-07-12 at 11:04 +0200, Erik K. wrote: > Hi Michael, > here are the ovpn chains > > Chain OVPNFORWARD (1 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > > Chain OVPNINPUT (1 references) > target prot opt source destination > ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell > ACCEPT all -- anywhere anywhere > ACCEPT udp -- anywhere anywhere udp dpt:5329 > > Chain OVPN_BLUE_FORWARD (1 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > > Chain OVPN_BLUE_INPUT (1 references) > target prot opt source destination > ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell > ACCEPT all -- anywhere anywhere > > and the rest of iptables -L > > Chain INPUT (policy DROP) > target prot opt source destination > BADTCP all -- anywhere anywhere > CUSTOMINPUT all -- anywhere anywhere > GUARDIAN all -- anywhere anywhere > IPTVINPUT all -- anywhere anywhere > GUIINPUT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > IPSECINPUT all -- anywhere anywhere > OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL INPUT */ > ACCEPT all -- anywhere anywhere state NEW > DROP all -- 127.0.0.0/8 anywhere state NEW > DROP all -- anywhere 127.0.0.0/8 state NEW > ACCEPT !icmp -- anywhere anywhere state NEW > DHCPBLUEINPUT all -- anywhere anywhere > OVPNINPUT all -- anywhere anywhere > OVPN_BLUE_INPUT all -- anywhere anywhere > OPENSSLPHYSICAL all -- anywhere anywhere > WIRELESSINPUT all -- anywhere anywhere state NEW > REDINPUT all -- anywhere anywhere > XTACCESS all -- anywhere anywhere state NEW > LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_INPUT " > DROP all -- anywhere anywhere /* DROP_INPUT */ > > Chain FORWARD (policy DROP) > target prot opt source destination > BADTCP all -- anywhere anywhere > TCPMSS tcp -- anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU > GUARDIAN all -- anywhere anywhere > CUSTOMFORWARD all -- anywhere anywhere > IPTVFORWARD all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > IPSECFORWARD all -- anywhere anywhere > OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL FORWARD */ > OUTGOINGFWMAC all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state NEW > DROP all -- 127.0.0.0/8 anywhere state NEW > OVPNFORWARD all -- anywhere anywhere > OVPN_BLUE_FORWARD all -- anywhere anywhere > DROP all -- anywhere 127.0.0.0/8 state NEW > ACCEPT all -- anywhere anywhere state NEW > ACCEPT all -- anywhere anywhere state NEW > WIRELESSFORWARD all -- anywhere anywhere state NEW > REDFORWARD all -- anywhere anywhere > DMZHOLES all -- anywhere anywhere state NEW > PORTFWACCESS all -- anywhere anywhere state NEW > UPNPFW all -- anywhere anywhere state NEW > LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_OUTPUT " > DROP all -- anywhere anywhere /* DROP_OUTPUT */ > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > CUSTOMOUTPUT all -- anywhere anywhere > OUTGOINGFW all -- anywhere anywhere > IPSECOUTPUT all -- anywhere anywhere > > Chain BADTCP (2 references) > target prot opt source destination > RETURN all -- anywhere anywhere > PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG > PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE > PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN > PSCAN tcp -- anywhere anywhere tcpflags: SYN,RST/SYN,RST > PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN/FIN,SYN > NEWNOTSYN tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW > > Chain CUSTOMFORWARD (1 references) > target prot opt source destination > ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn > > Chain CUSTOMINPUT (1 references) > target prot opt source destination > ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp > ACCEPT tcp -- 192.168.110.3 ipfire-bbach.local tcp dpt:snpp > ACCEPT tcp -- 10.1.2.2 ipfire-bbach.local tcp dpt:snpp > ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp > REJECT tcp -- anywhere ipfire-bbach.local tcp dpt:snpp reject-with icmp-port-unreachable > ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn > DROP all -- anywhere 192.168.220.255 > DROP all -- anywhere all-systems.mcast.net > DROP all -- anywhere 192.168.2.255 > > Chain CUSTOMOUTPUT (1 references) > target prot opt source destination > > Chain DHCPBLUEINPUT (1 references) > target prot opt source destination > ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps > ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps > > Chain DMZHOLES (2 references) > target prot opt source destination > > Chain GUARDIAN (2 references) > target prot opt source destination > > Chain GUIINPUT (1 references) > target prot opt source destination > ACCEPT icmp -- anywhere anywhere icmp echo-request > > Chain IPSECFORWARD (1 references) > target prot opt source destination > > Chain IPSECINPUT (1 references) > target prot opt source destination > > Chain IPSECOUTPUT (1 references) > target prot opt source destination > > Chain IPTVFORWARD (1 references) > target prot opt source destination > > Chain IPTVINPUT (1 references) > target prot opt source destination > > Chain LOG_DROP (0 references) > target prot opt source destination > LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning > DROP all -- anywhere anywhere > > Chain LOG_REJECT (0 references) > target prot opt source destination > LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning > REJECT all -- anywhere anywhere reject-with icmp-port-unreachable > > Chain NEWNOTSYN (1 references) > target prot opt source destination > LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_NEWNOTSYN " > DROP all -- anywhere anywhere /* DROP_NEWNOTSYN */ > > Chain OPENSSLPHYSICAL (1 references) > target prot opt source destination > > Chain OPENSSLVIRTUAL (2 references) > target prot opt source destination > > Chain OUTGOINGFW (1 references) > target prot opt source destination > > Chain OUTGOINGFWMAC (1 references) > target prot opt source destination > > > Chain PORTFWACCESS (1 references) > target prot opt source destination > > Chain PSCAN (5 references) > target prot opt source destination > LOG tcp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_TCP PScan */ LOG level warning prefix "DROP_TCP Scan " > LOG udp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_UDP PScan */ LOG level warning prefix "DROP_UDP Scan " > LOG icmp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_ICMP PScan */ LOG level warning prefix "DROP_ICMP Scan " > LOG all -f anywhere anywhere limit: avg 10/min burst 5 /* DROP_FRAG PScan */ LOG level warning prefix "DROP_FRAG Scan " > DROP all -- anywhere anywhere /* DROP_PScan */ > > Chain REDFORWARD (1 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > > Chain REDINPUT (1 references) > target prot opt source destination > > Chain UPNPFW (1 references) > target prot opt source destination > > Chain WIRELESSFORWARD (1 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B > DMZHOLES all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B > LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessforward" > DROP all -- anywhere anywhere /* DROP_Wirelessforward */ > > Chain WIRELESSINPUT (1 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B > LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessinput" > DROP all -- anywhere anywhere /* DROP_Wirelessinput */ > > Chain XTACCESS (1 references) > target prot opt source destination > ACCEPT tcp -- anywhere 192.168.2.2 tcp dpt:ident > > > Erik > > > Am 12.07.2013 um 00:06 schrieb Michael Tremer: > > > Could you provide the iptables ruleset that is loaded? > > > > This should not be caused by the latest NAT changes in core update 70. > > But that's just a wild guess. > > > > -Michael > > > > On Thu, 2013-07-11 at 20:33 +0200, Erik K. wrote: > >> Hi all, > >> have tried today Core 70 and OpenVPN N2N and i have had problems to establish the connection. > >> > >> The infrastructure: > >> > >> IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> (local) IPFire > >> > >> So both sides with double NAT. The log messages gives me the following back > >> > >> Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329 > >> Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server->server connection attempted from 192.168.20.2:5329 > >> Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system call (code=4) > >> have never seen this message (in the middle) before... > >> > >> So i looked to the configuration file on the TLS-client where the "Remote Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the remote IP (in versions before Core 70 this was not necessary) and the following log output was stated. > >> > >> Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=V4): '9e986809' > >> Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.xx:5329 > >> Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-restart), restarting > >> > >> > >> Looks like a closed firewall. Portforwarding from both upstream routers to IPFire was made, outgoing FW was in mode 0 . > >> > >> May some one have an idea what´s causing this problem ? > >> > >> > >> Greetings > >> > >> > >> Erik > >> > >> > >> _______________________________________________ > >> Development mailing list > >> Development(a)lists.ipfire.org > >> http://lists.ipfire.org/mailman/listinfo/development > > > > > > _______________________________________________ > > Development mailing list > > Development(a)lists.ipfire.org > > http://lists.ipfire.org/mailman/listinfo/development > > _______________________________________________ > Development mailing list > Development(a)lists.ipfire.org > http://lists.ipfire.org/mailman/listinfo/development