LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-04-2015, 10:00 PM   #1
dpcioc
LQ Newbie
 
Registered: Jan 2015
Location: Toronto
Distribution: Xubuntu, Raspbian
Posts: 4

Rep: Reputation: Disabled
Post Connection timed out when using a second gateway


Hi everyone!

Intro
I try to build a server with my Raspberry PI (using the latest version of Raspbian, without any graphical interface). I have already looked at the Ubuntu and Debian wiki page about iptables and searched on Google a lot to finally make it work. But it doesn't work no more and I don't know why... Basically, I installed openvpn. I use it as a client (with --route-noexec so it doesn't change my routing table when I connect) to connect at PIA and as a sever. Server's traffic can't go over the VPN client. When someone connects to my server, he gets to browse the web using the tor network except on accessing my server's internal ip. Moreover, I use dnscrypt and opennic for DNS. I have already done the configuration for this and it worked. My problem is that it doesn't work no more...

Network related problem
To test my Internet I try wget google.ca. It finds google's ip (so the DNS server works) but I get failed: Connection timed out. Let me post the bash scripts before I continue explaining the situation.

firewall.sh
Code:
#!/bin/bash
# Get pia variables
piaip="`ifconfig tun0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1 }'`"
if [ -z "$piaip" ]
then
echo "Run pia.sh first!"
exit
fi

# clear everything.
iptables -F
iptables -t nat -F
iptables -t mangle -F

# set rules 
iptables -P INPUT DROP 
iptables -P OUTPUT ACCEPT 
iptables -P FORWARD ACCEPT 
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# pia 
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE # allows to communicate with the world
iptables -t mangle -A OUTPUT -j MARK --set-mark 3 # what's left is marked as 3 in order to pass through pia
# set the exceptions
iptables -t mangle -A OUTPUT -p udp --dport 1194 -j MARK --set-mark 4 # openvpn client
iptables -t mangle -A OUTPUT -p udp --dport 443 -d 142.4.205.47 -j MARK --set-mark 4 # opennic dns
iptables -t mangle -A OUTPUT -p udp --sport 911 -j MARK --set-mark 4 # openvpn server
iptables -t mangle -A OUTPUT -o tun3 -j MARK --set-mark 4 # allow my clients to function
# end exceptions
iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source $piaip # mark the correct source

# openvpn server and tor 
iptables -A INPUT -i wlan0 -p udp --dport 911 -j ACCEPT # openvpn server
iptables -A INPUT -i tun3 -p udp --dport 53 -j ACCEPT # tor dns
iptables -A INPUT -i tun3 -p tcp -j ACCEPT # allow connections to this server over openvpn server 
iptables -t nat -A PREROUTING -i tun3 -p tcp -d 10.8.0.1 -j DNAT --to-destination 10.8.0.1 # don't send this over tor
iptables -t nat -A PREROUTING -i tun3 -p tcp --syn -j REDIRECT --to-ports 9040 # send this over tor
pia.sh
Code:
#!/bin/bash
echo 'pia.sh: working...'
# start connection to pia servers
openvpn --script-security 2 --config /etc/openvpn/pia/config.ovpn --daemon --route-noexec
sleep 5

# add rule if missing
piarule="`ip rule ls | grep pia`"
if [ -z "$piarule" ]
then
ip rule add from all fwmark 0x3 table pia
fi

# delete left rules if any then add new ones
piaroute="`ip route show table pia`"
piag="`ifconfig tun0 | grep 'inet addr:' | cut -d: -f3 | awk '{ print $1 }'`"
if [[ -n "$piaroute" ]]
then
ip route del  table pia
fi
ip route add default via 127.0.0.1 dev lo table pia
ip route add 0.0.0.0/1 via $piag dev tun0 table pia
ip route add 128.0.0.0/1 via $piag dev tun0 table pia
echo 'pia.sh: done'
sysctl.conf
Code:
net.ipv4.conf.default.rp_filter=1
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_source_route = 0
If I don't mark outgoing packages with 0x3 and therefore they don't go over the gateway in table pia, wget google.ca is successful. Does anybody know what's wrong?

SOLVED!
Now it works again. I commented the 3 lines above in sysctl.conf (everything in that file is now commented) and I removed the masquerade line in firewall.sh. I will soon post a tutorial about how to make a server like mine.

Last edited by dpcioc; 01-05-2015 at 01:48 PM. Reason: I found a solution
 
  


Reply

Tags
iptables, openvpn, route, rule, timeout


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[Postfix/smtp] 25 connection refused / connection timed out wewanwang Linux - Server 2 12-22-2014 01:14 AM
[SOLVED] USB: Connection timed out SYS: Connection timed out PeterUK Programming 3 07-18-2013 02:59 AM
ssh: connection to host port: 22: Connection timed out lost connection cucolin@ Linux - Server 4 11-22-2011 06:15 AM
Connection Timed Out jwthomas Linux - Server 1 05-08-2009 09:34 PM
sendmail - Connection timed out [dsn=4.0.0 stat=Deferred: Connection timed out] ananthak Linux - Software 0 04-24-2007 07:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration