[SOLVED] problem with iptables and NordVPN/OpenVPN

gone_bush · 04-26-2017, 12:50 AM

I'm trying to get NordVPN/OpenVPN working with my laptop that is visible to the internet and has port 22 open.

The touble appears to be in my iptables firewall.

As I understand it, the flow of a packet should be

1) raw prerouting
2) mangle prerouting
3) nat prerouting
4) either mangle forward or mangle input

My port 22 SYN packets seem to be getting lost between (4) and (5).

The following are some of my iptable rules (these rule are contiguous):

Code:

$IPT -t filter -A INPUT   -i tun+                 -j LOG --log-prefix "ssh filter input   tun: "
$IPT -t filter -A FORWARD -i tun+                 -j LOG --log-prefix "ssh filter forward tun: "
$IPT -t filter -A OUTPUT  -o tun+                 -j LOG --log-prefix "ssh filter output  tun: "

$IPT -A INPUT   -i tun+ -j ACCEPT
$IPT -A FORWARD -i tun+ -j ACCEPT
$IPT -A OUTPUT  -o tun+ -j ACCEPT

$IPT -t filter   -A FORWARD     -p tcp --dport 22 -j LOG --log-prefix "ssh filter     forward: "
$IPT -t filter   -A INPUT       -p tcp --dport 22 -j LOG --log-prefix "ssh filter       input: "
$IPT -t filter   -A OUTPUT      -p tcp --dport 22 -j LOG --log-prefix "ssh filter      output: "

$IPT -t mangle   -A FORWARD     -p tcp --dport 22 -j LOG --log-prefix "ssh mangle     forward: "
$IPT -t mangle   -A INPUT       -p tcp --dport 22 -j LOG --log-prefix "ssh mangle       input: "
$IPT -t mangle   -A OUTPUT      -p tcp --dport 22 -j LOG --log-prefix "ssh mangle      output: "
$IPT -t mangle   -A POSTROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh mangle postrouting: "
$IPT -t mangle   -A PREROUTING  -p tcp --dport 22 -j LOG --log-prefix "ssh mangle  prerouting: "

$IPT -t nat      -A PREROUTING  -p tcp --dport 22 -j LOG --log-prefix "ssh nat     prerouting: "
$IPT -t nat      -A POSTROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh nat    postrouting: "

$IPT -t raw      -A  PREROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh raw     prerouting: "
$IPT -t raw      -A  OUTPUT     -p tcp --dport 22 -j LOG --log-prefix "ssh raw         output: "

$IPT -t security -A INPUT       -p tcp --dport 22 -j LOG --log-prefix "ssh security     input: "
$IPT -t security -A FORWARD     -p tcp --dport 22 -j LOG --log-prefix "ssh security   forward: "
$IPT -t security -A OUTPUT      -p tcp --dport 22 -j LOG --log-prefix "ssh security    output: "

All I get is (edited):

Code:

ssh raw     prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999 DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=17534 DF PROTO=TCP SPT=42583 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
ssh mangle  prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999 DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=17534 DF PROTO=TCP SPT=42583 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
ssh nat     prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999 DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=17534 DF PROTO=TCP SPT=42583 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
ssh raw     prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999 DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=17535 DF PROTO=TCP SPT=42583 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
ssh mangle  prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999 DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=17535 DF PROTO=TCP SPT=42583 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
ssh nat     prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999 DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=17535 DF PROTO=TCP SPT=42583 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0

HELP!
Kevin

gone_bush · 04-27-2017, 07:14 PM

Problem (almost) solved - The packet was being treated as a martian in the rp-filter mechanism. (Alas the VPN is working, but I'm making progress.)