From: "Erik K." <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Problems with Core 70 and OpenVPN N2N
Date: Fri, 12 Jul 2013 11:04:08 +0200 [thread overview]
Message-ID: <C6477DCC-8A6B-4F27-8D90-50799C690DB2@ipfire.org> (raw)
In-Reply-To: <1373580399.10320.44.camel@hughes.tremer.info>
[-- Attachment #1: Type: text/plain, Size: 13428 bytes --]
Hi Michael,
here are the ovpn chains
Chain OVPNFORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OVPNINPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:5329
Chain OVPN_BLUE_FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OVPN_BLUE_INPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell
ACCEPT all -- anywhere anywhere
and the rest of iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
BADTCP all -- anywhere anywhere
CUSTOMINPUT all -- anywhere anywhere
GUARDIAN all -- anywhere anywhere
IPTVINPUT all -- anywhere anywhere
GUIINPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
IPSECINPUT all -- anywhere anywhere
OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL INPUT */
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
ACCEPT !icmp -- anywhere anywhere state NEW
DHCPBLUEINPUT all -- anywhere anywhere
OVPNINPUT all -- anywhere anywhere
OVPN_BLUE_INPUT all -- anywhere anywhere
OPENSSLPHYSICAL all -- anywhere anywhere
WIRELESSINPUT all -- anywhere anywhere state NEW
REDINPUT all -- anywhere anywhere
XTACCESS all -- anywhere anywhere state NEW
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_INPUT "
DROP all -- anywhere anywhere /* DROP_INPUT */
Chain FORWARD (policy DROP)
target prot opt source destination
BADTCP all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
GUARDIAN all -- anywhere anywhere
CUSTOMFORWARD all -- anywhere anywhere
IPTVFORWARD all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
IPSECFORWARD all -- anywhere anywhere
OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL FORWARD */
OUTGOINGFWMAC all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
OVPNFORWARD all -- anywhere anywhere
OVPN_BLUE_FORWARD all -- anywhere anywhere
DROP all -- anywhere 127.0.0.0/8 state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
WIRELESSFORWARD all -- anywhere anywhere state NEW
REDFORWARD all -- anywhere anywhere
DMZHOLES all -- anywhere anywhere state NEW
PORTFWACCESS all -- anywhere anywhere state NEW
UPNPFW all -- anywhere anywhere state NEW
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_OUTPUT "
DROP all -- anywhere anywhere /* DROP_OUTPUT */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
CUSTOMOUTPUT all -- anywhere anywhere
OUTGOINGFW all -- anywhere anywhere
IPSECOUTPUT all -- anywhere anywhere
Chain BADTCP (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE
PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN
PSCAN tcp -- anywhere anywhere tcpflags: SYN,RST/SYN,RST
PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN/FIN,SYN
NEWNOTSYN tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW
Chain CUSTOMFORWARD (1 references)
target prot opt source destination
ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn
Chain CUSTOMINPUT (1 references)
target prot opt source destination
ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp
ACCEPT tcp -- 192.168.110.3 ipfire-bbach.local tcp dpt:snpp
ACCEPT tcp -- 10.1.2.2 ipfire-bbach.local tcp dpt:snpp
ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp
REJECT tcp -- anywhere ipfire-bbach.local tcp dpt:snpp reject-with icmp-port-unreachable
ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn
DROP all -- anywhere 192.168.220.255
DROP all -- anywhere all-systems.mcast.net
DROP all -- anywhere 192.168.2.255
Chain CUSTOMOUTPUT (1 references)
target prot opt source destination
Chain DHCPBLUEINPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
Chain DMZHOLES (2 references)
target prot opt source destination
Chain GUARDIAN (2 references)
target prot opt source destination
Chain GUIINPUT (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain IPSECFORWARD (1 references)
target prot opt source destination
Chain IPSECINPUT (1 references)
target prot opt source destination
Chain IPSECOUTPUT (1 references)
target prot opt source destination
Chain IPTVFORWARD (1 references)
target prot opt source destination
Chain IPTVINPUT (1 references)
target prot opt source destination
Chain LOG_DROP (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning
DROP all -- anywhere anywhere
Chain LOG_REJECT (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain NEWNOTSYN (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_NEWNOTSYN "
DROP all -- anywhere anywhere /* DROP_NEWNOTSYN */
Chain OPENSSLPHYSICAL (1 references)
target prot opt source destination
Chain OPENSSLVIRTUAL (2 references)
target prot opt source destination
Chain OUTGOINGFW (1 references)
target prot opt source destination
Chain OUTGOINGFWMAC (1 references)
target prot opt source destination
Chain PORTFWACCESS (1 references)
target prot opt source destination
Chain PSCAN (5 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_TCP PScan */ LOG level warning prefix "DROP_TCP Scan "
LOG udp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_UDP PScan */ LOG level warning prefix "DROP_UDP Scan "
LOG icmp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_ICMP PScan */ LOG level warning prefix "DROP_ICMP Scan "
LOG all -f anywhere anywhere limit: avg 10/min burst 5 /* DROP_FRAG PScan */ LOG level warning prefix "DROP_FRAG Scan "
DROP all -- anywhere anywhere /* DROP_PScan */
Chain REDFORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain REDINPUT (1 references)
target prot opt source destination
Chain UPNPFW (1 references)
target prot opt source destination
Chain WIRELESSFORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B
DMZHOLES all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B
LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessforward"
DROP all -- anywhere anywhere /* DROP_Wirelessforward */
Chain WIRELESSINPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B
LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessinput"
DROP all -- anywhere anywhere /* DROP_Wirelessinput */
Chain XTACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.2.2 tcp dpt:ident
Erik
Am 12.07.2013 um 00:06 schrieb Michael Tremer:
> Could you provide the iptables ruleset that is loaded?
>
> This should not be caused by the latest NAT changes in core update 70.
> But that's just a wild guess.
>
> -Michael
>
> On Thu, 2013-07-11 at 20:33 +0200, Erik K. wrote:
>> Hi all,
>> have tried today Core 70 and OpenVPN N2N and i have had problems to establish the connection.
>>
>> The infrastructure:
>>
>> IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> (local) IPFire
>>
>> So both sides with double NAT. The log messages gives me the following back
>>
>> Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329
>> Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server->server connection attempted from 192.168.20.2:5329
>> Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system call (code=4)
>> have never seen this message (in the middle) before...
>>
>> So i looked to the configuration file on the TLS-client where the "Remote Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the remote IP (in versions before Core 70 this was not necessary) and the following log output was stated.
>>
>> Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=V4): '9e986809'
>> Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.xx:5329
>> Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-restart), restarting
>>
>>
>> Looks like a closed firewall. Portforwarding from both upstream routers to IPFire was made, outgoing FW was in mode 0 .
>>
>> May some one have an idea what´s causing this problem ?
>>
>>
>> Greetings
>>
>>
>> Erik
>>
>>
>> _______________________________________________
>> Development mailing list
>> Development(a)lists.ipfire.org
>> http://lists.ipfire.org/mailman/listinfo/development
>
>
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
next prev parent reply other threads:[~2013-07-12 9:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-11 18:33 Erik K.
2013-07-11 22:06 ` Michael Tremer
2013-07-12 9:04 ` Erik K. [this message]
2013-07-12 11:24 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C6477DCC-8A6B-4F27-8D90-50799C690DB2@ipfire.org \
--to=ummeegge@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox