From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Problems with Core 70 and OpenVPN N2N Date: Fri, 12 Jul 2013 13:24:23 +0200 Message-ID: <1373628263.15464.164.camel@rice-oxley.tremer.info> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7360214171383595120==" List-Id: --===============7360214171383595120== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable See? Firewall rules are fine. On Fri, 2013-07-12 at 11:04 +0200, Erik K. wrote: > Hi Michael, > here are the ovpn chains >=20 > Chain OVPNFORWARD (1 references) > target prot opt source destination =20 > ACCEPT all -- anywhere anywhere =20 >=20 > Chain OVPNINPUT (1 references) > target prot opt source destination =20 > ACCEPT udp -- anywhere anywhere udp dpt:carri= us-rshell > ACCEPT all -- anywhere anywhere =20 > ACCEPT udp -- anywhere anywhere udp dpt:5329 >=20 > Chain OVPN_BLUE_FORWARD (1 references) > target prot opt source destination =20 > ACCEPT all -- anywhere anywhere =20 >=20 > Chain OVPN_BLUE_INPUT (1 references) > target prot opt source destination =20 > ACCEPT udp -- anywhere anywhere udp dpt:carri= us-rshell > ACCEPT all -- anywhere anywhere =20 >=20 > and the rest of iptables -L >=20 > Chain INPUT (policy DROP) > target prot opt source destination =20 > BADTCP all -- anywhere anywhere =20 > CUSTOMINPUT all -- anywhere anywhere =20 > GUARDIAN all -- anywhere anywhere =20 > IPTVINPUT all -- anywhere anywhere =20 > GUIINPUT all -- anywhere anywhere =20 > ACCEPT all -- anywhere anywhere state RELATED= ,ESTABLISHED > IPSECINPUT all -- anywhere anywhere =20 > OPENSSLVIRTUAL all -- anywhere anywhere /* OPENS= SLVIRTUAL INPUT */ > ACCEPT all -- anywhere anywhere state NEW > DROP all -- 127.0.0.0/8 anywhere state NEW > DROP all -- anywhere 127.0.0.0/8 state NEW > ACCEPT !icmp -- anywhere anywhere state NEW > DHCPBLUEINPUT all -- anywhere anywhere =20 > OVPNINPUT all -- anywhere anywhere =20 > OVPN_BLUE_INPUT all -- anywhere anywhere =20 > OPENSSLPHYSICAL all -- anywhere anywhere =20 > WIRELESSINPUT all -- anywhere anywhere state NEW > REDINPUT all -- anywhere anywhere =20 > XTACCESS all -- anywhere anywhere state NEW > LOG all -- anywhere anywhere limit: avg 10= /min burst 5 LOG level warning prefix "DROP_INPUT " > DROP all -- anywhere anywhere /* DROP_INPUT= */ >=20 > Chain FORWARD (policy DROP) > target prot opt source destination =20 > BADTCP all -- anywhere anywhere =20 > TCPMSS tcp -- anywhere anywhere tcpflags: SYN= ,RST/SYN TCPMSS clamp to PMTU > GUARDIAN all -- anywhere anywhere =20 > CUSTOMFORWARD all -- anywhere anywhere =20 > IPTVFORWARD all -- anywhere anywhere =20 > ACCEPT all -- anywhere anywhere state RELATED= ,ESTABLISHED > IPSECFORWARD all -- anywhere anywhere =20 > OPENSSLVIRTUAL all -- anywhere anywhere /* OPENS= SLVIRTUAL FORWARD */ > OUTGOINGFWMAC all -- anywhere anywhere =20 > ACCEPT all -- anywhere anywhere state NEW > DROP all -- 127.0.0.0/8 anywhere state NEW > OVPNFORWARD all -- anywhere anywhere =20 > OVPN_BLUE_FORWARD all -- anywhere anywhere =20 > DROP all -- anywhere 127.0.0.0/8 state NEW > ACCEPT all -- anywhere anywhere state NEW > ACCEPT all -- anywhere anywhere state NEW > WIRELESSFORWARD all -- anywhere anywhere state N= EW > REDFORWARD all -- anywhere anywhere =20 > DMZHOLES all -- anywhere anywhere state NEW > PORTFWACCESS all -- anywhere anywhere state NEW > UPNPFW all -- anywhere anywhere state NEW > LOG all -- anywhere anywhere limit: avg 10= /min burst 5 LOG level warning prefix "DROP_OUTPUT " > DROP all -- anywhere anywhere /* DROP_OUTPU= T */ >=20 > Chain OUTPUT (policy ACCEPT) > target prot opt source destination =20 > CUSTOMOUTPUT all -- anywhere anywhere =20 > OUTGOINGFW all -- anywhere anywhere =20 > IPSECOUTPUT all -- anywhere anywhere =20 >=20 > Chain BADTCP (2 references) > target prot opt source destination =20 > RETURN all -- anywhere anywhere =20 > PSCAN tcp -- anywhere anywhere tcpflags: FIN= ,SYN,RST,PSH,ACK,URG/FIN,PSH,URG > PSCAN tcp -- anywhere anywhere tcpflags: FIN= ,SYN,RST,PSH,ACK,URG/NONE > PSCAN tcp -- anywhere anywhere tcpflags: FIN= ,SYN,RST,PSH,ACK,URG/FIN > PSCAN tcp -- anywhere anywhere tcpflags: SYN= ,RST/SYN,RST > PSCAN tcp -- anywhere anywhere tcpflags: FIN= ,SYN/FIN,SYN > NEWNOTSYN tcp -- anywhere anywhere tcpflags:! FI= N,SYN,RST,ACK/SYN state NEW >=20 > Chain CUSTOMFORWARD (1 references) > target prot opt source destination =20 > ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openv= pn >=20 > Chain CUSTOMINPUT (1 references) > target prot opt source destination =20 > ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp > ACCEPT tcp -- 192.168.110.3 ipfire-bbach.local tcp dpt:snpp > ACCEPT tcp -- 10.1.2.2 ipfire-bbach.local tcp dpt:snpp > ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp > REJECT tcp -- anywhere ipfire-bbach.local tcp dpt:snpp = reject-with icmp-port-unreachable > ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openv= pn > DROP all -- anywhere 192.168.220.255 =20 > DROP all -- anywhere all-systems.mcast.net=20 > DROP all -- anywhere 192.168.2.255 =20 >=20 > Chain CUSTOMOUTPUT (1 references) > target prot opt source destination =20 >=20 > Chain DHCPBLUEINPUT (1 references) > target prot opt source destination =20 > ACCEPT tcp -- anywhere anywhere tcp spt:bootp= c dpt:bootps > ACCEPT udp -- anywhere anywhere udp spt:bootp= c dpt:bootps >=20 > Chain DMZHOLES (2 references) > target prot opt source destination =20 >=20 > Chain GUARDIAN (2 references) > target prot opt source destination =20 >=20 > Chain GUIINPUT (1 references) > target prot opt source destination =20 > ACCEPT icmp -- anywhere anywhere icmp echo-req= uest >=20 > Chain IPSECFORWARD (1 references) > target prot opt source destination =20 >=20 > Chain IPSECINPUT (1 references) > target prot opt source destination =20 >=20 > Chain IPSECOUTPUT (1 references) > target prot opt source destination =20 >=20 > Chain IPTVFORWARD (1 references) > target prot opt source destination =20 >=20 > Chain IPTVINPUT (1 references) > target prot opt source destination =20 >=20 > Chain LOG_DROP (0 references) > target prot opt source destination =20 > LOG all -- anywhere anywhere limit: avg 10= /min burst 5 LOG level warning > DROP all -- anywhere anywhere =20 >=20 > Chain LOG_REJECT (0 references) > target prot opt source destination =20 > LOG all -- anywhere anywhere limit: avg 10= /min burst 5 LOG level warning > REJECT all -- anywhere anywhere reject-with i= cmp-port-unreachable >=20 > Chain NEWNOTSYN (1 references) > target prot opt source destination =20 > LOG all -- anywhere anywhere limit: avg 10= /min burst 5 LOG level warning prefix "DROP_NEWNOTSYN " > DROP all -- anywhere anywhere /* DROP_NEWNO= TSYN */ >=20 > Chain OPENSSLPHYSICAL (1 references) > target prot opt source destination =20 >=20 > Chain OPENSSLVIRTUAL (2 references) > target prot opt source destination =20 >=20 > Chain OUTGOINGFW (1 references) > target prot opt source destination =20 >=20 > Chain OUTGOINGFWMAC (1 references) > target prot opt source destination =20 > =20 >=20 > Chain PORTFWACCESS (1 references) > target prot opt source destination =20 >=20 > Chain PSCAN (5 references) > target prot opt source destination =20 > LOG tcp -- anywhere anywhere limit: avg 10= /min burst 5 /* DROP_TCP PScan */ LOG level warning prefix "DROP_TCP Scan " > LOG udp -- anywhere anywhere limit: avg 10= /min burst 5 /* DROP_UDP PScan */ LOG level warning prefix "DROP_UDP Scan " > LOG icmp -- anywhere anywhere limit: avg 10= /min burst 5 /* DROP_ICMP PScan */ LOG level warning prefix "DROP_ICMP Scan " > LOG all -f anywhere anywhere limit: avg 10= /min burst 5 /* DROP_FRAG PScan */ LOG level warning prefix "DROP_FRAG Scan " > DROP all -- anywhere anywhere /* DROP_PScan= */ >=20 > Chain REDFORWARD (1 references) > target prot opt source destination =20 > ACCEPT all -- anywhere anywhere =20 >=20 > Chain REDINPUT (1 references) > target prot opt source destination =20 >=20 > Chain UPNPFW (1 references) > target prot opt source destination =20 >=20 > Chain WIRELESSFORWARD (1 references) > target prot opt source destination =20 > ACCEPT all -- anywhere anywhere MAC 00:17:F2:= CD:C9:8B > DMZHOLES all -- anywhere anywhere MAC 00:17:F2:= CD:C9:8B > LOG all -- anywhere anywhere LOG level war= ning prefix "DROP_Wirelessforward" > DROP all -- anywhere anywhere /* DROP_Wirel= essforward */ >=20 > Chain WIRELESSINPUT (1 references) > target prot opt source destination =20 > ACCEPT all -- anywhere anywhere MAC 00:17:F2:= CD:C9:8B > LOG all -- anywhere anywhere LOG level war= ning prefix "DROP_Wirelessinput" > DROP all -- anywhere anywhere /* DROP_Wirel= essinput */ >=20 > Chain XTACCESS (1 references) > target prot opt source destination =20 > ACCEPT tcp -- anywhere 192.168.2.2 tcp dpt:ident >=20 > =20 > Erik >=20 >=20 > Am 12.07.2013 um 00:06 schrieb Michael Tremer: >=20 > > Could you provide the iptables ruleset that is loaded? > >=20 > > This should not be caused by the latest NAT changes in core update 70. > > But that's just a wild guess. > >=20 > > -Michael > >=20 > > On Thu, 2013-07-11 at 20:33 +0200, Erik K. wrote: > >> Hi all, > >> have tried today Core 70 and OpenVPN N2N and i have had problems to esta= blish the connection.=20 > >>=20 > >> The infrastructure: > >>=20 > >> IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> = (local) IPFire > >>=20 > >> So both sides with double NAT. The log messages gives me the following b= ack > >>=20 > >> Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5= 329 > >> Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or serv= er->server connection attempted from 192.168.20.2:5329 > >> Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system c= all (code=3D4) > >> have never seen this message (in the middle) before... > >>=20 > >> So i looked to the configuration file on the TLS-client where the "Remot= e Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to t= he remote IP (in versions before Core 70 this was not necessary) and the foll= owing log output was stated. > >>=20 > >> Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER= =3DV4): '9e986809' > >> Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.x= x.xx:5329 > >> Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--pin= g-restart), restarting > >>=20 > >>=20 > >> Looks like a closed firewall. Portforwarding from both upstream routers = to IPFire was made, outgoing FW was in mode 0 . > >>=20 > >> May some one have an idea what=C2=B4s causing this problem ? > >>=20 > >>=20 > >> Greetings=20 > >>=20 > >>=20 > >> Erik > >>=20 > >>=20 > >> _______________________________________________ > >> Development mailing list > >> Development(a)lists.ipfire.org > >> http://lists.ipfire.org/mailman/listinfo/development > >=20 > >=20 > > _______________________________________________ > > Development mailing list > > Development(a)lists.ipfire.org > > http://lists.ipfire.org/mailman/listinfo/development >=20 > _______________________________________________ > Development mailing list > Development(a)lists.ipfire.org > http://lists.ipfire.org/mailman/listinfo/development --===============7360214171383595120==--