LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-30-2014, 09:39 AM   #1
Dannermax
LQ Newbie
 
Registered: Jun 2014
Posts: 26

Rep: Reputation: Disabled
IP tables are randomly blocking Internet connection when using open VPN


Hello everyone.

I hope this is the right place to post my question.I am running Raspbian (Debian) on my raspberry pi. it is connected to a VPN server, and I have had help to create these IP table rules, which I have put into: the /etc/rc.local file.this is the only way I could make the IP table rules, persistent and still have Internet connection when my system start up.

but the problem is that my systems outgoing connection (not lan), is getting blocked once or twice every day.if I restart the system, then I have an outgoing connection.but it is really frustrating, that I have to restart my system a couple of times every day.And not knowing when I have to restart.

here are my IP table rules:

Code:
#!/bin/sh
/sbin/iptables -A INPUT -p tcp --dport 22 -s 192.168.1.50 -j ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 138 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 137 -j ACCEPT
/bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j LOG
/sbin/iptables -A OUTPUT -o eth0 -j REJECT
/sbin/iptables -A INPUT -i tun0 -p tcp --dport 11633 -j ACCEPT
/sbin/iptables -A INPUT -i tun0 -p udp --dport 11633 -j ACCEPT
exit 0
So, is there any way I could make my system retain an outgoing Internet connection, without having to restart the system randomly? And I am streaming video from my raspberry pi, so I hope for a solution where I have a constant connection to it, over my home network. by this I mean a solution where I don't need to restart the system or the network interface.

I have also tried adding my VPN providers host names in the allow.host file.but this didn't change anything.

I really hope someone has an idea to what I can do.this problem has been bugging me for a year now, and I have heard a lot of positive things about this site. Fingers crossed and thanks for reading my post.
 
Old 10-30-2014, 03:06 PM   #2
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
First of all, are all outgoing connections blocked or only the openvpn tunnel?
Check system logs for messages, we need to see exactly what happens.
Quote:
Originally Posted by Dannermax View Post
... these IP table rules, which I have put into: the /etc/rc.local file.this is the only way I could make the IP table rules, persistent and still have Internet connection when my system start up.
What about "iptables-save"? That should save the rules and make them persistent.
Quote:
... my systems outgoing connection (not lan), is getting blocked once or twice every day.if I restart the system, then I have an outgoing connection
This could happen if the openvpn remote server has changed ip. Does it use DHCP on it's WAN?
But that ip (remote vpn servers) is hardcoded in the config file, right? If not, if some way the ip is written to the config file at bootup, here you have the problem.
If the ip is hardcoded in the openvpn config file, then why that line "/bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT"?
 
Old 10-30-2014, 04:32 PM   #3
brebs
Member
 
Registered: May 2013
Posts: 89

Rep: Reputation: Disabled
You are making the usual firewall mistake of blocking all ICMP packets, and thus creating communication problems which ICMP is designed to smooth out. Allow them.

I can't say for sure that this is causing your problem - but it certainly isn't helping
 
Old 10-31-2014, 02:46 PM   #4
Dannermax
LQ Newbie
 
Registered: Jun 2014
Posts: 26

Original Poster
Rep: Reputation: Disabled
Thank you for your reply.

Quote:
First of all, are all outgoing connections blocked or only the openvpn tunnel?
Check system logs for messages, we need to see exactly what happens.
As I can see, it is only the open VPN tunnel which is blocked. and the reason why I have these IP table rules, is because I want my Internet connection to be blocked in case that the connection to the VPN server is lost. The connection has not been blocked since the last Reboot (typical), but I will post the log file as soon as I can. Is there a specific log file I should look in?

Earlier I have used this command to log problems with the VPN tunnel:

tail -F /var/log/syslog

I will Give you the output of this command as soon as the connection drops.

Quote:
What about "iptables-save"? That should save the rules and make them persistent.
I have already tried adding my IP table rules with the package called: iptables-persistent package
When I used this package with my rules, I did not have an outgoing connection through the VPN tunnel, and a reboot didn't solve that.that is why I thought it wouldn't make a difference with the iptable-save.

Quote:
If the ip is hardcoded in the openvpn config file, then why that line "/bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT"?
The person who help me create these rules, wrote this about the specific rule you mention:

Quote:
Parse the ovpn files found in /etc/openvpn and allow outbound traffic to any servers listed.
Yes I will agree with you, that a specific number of IP addresses is being loaded into a file in open VPN.but I do not know where that is.if I do this command:

iptables -L -n

I am getting a whole lot of different IP addresses from my VPN host.
But the funny thing is, that if I run my system without IP table rules, and of course connected to my VPN service, I am getting an stable connection and I don't need to restart now and then.I also have a list of all the IP addresses my VPN service offers. but I don't know how I can use that to solve my problem.

I hope I have made myself understandable. I am not that fluent in Linux, so please Bear over with me! Looking forward to hear your response.
 
Old 10-31-2014, 02:55 PM   #5
Dannermax
LQ Newbie
 
Registered: Jun 2014
Posts: 26

Original Poster
Rep: Reputation: Disabled
Hi brebs

I have never heard about ICMP packets before. could you tell me how I write these rules? And where should I place them in my IP table rules?

Could they look like this?

/sbin/iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Old 10-31-2014, 03:09 PM   #6
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
Ahaa!
I think I've got it, your VPN service has multiple ip's to use for it's tunnels and at random intervals the ip you connect to changes.
But you say you have a list of all the IP addresses your VPN service offers, so why not just add all those to your iptables rules? It won't really compromise your security.
Quote:
Originally Posted by Dannermax View Post
But the funny thing is, that if I run my system without IP table rules, and of course connected to my VPN service, I am getting an stable connection and I don't need to restart now and then.
Exactly, very sane this. It is your firewall (iptables) that blocks, so disabling it means = never blocked.

As for ICMP, if you need extremely high security you don't respond to ping, but normally I agree with brebs you should allow it / respond.
So add:
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
(Can't test it right now, but I think I got it right.)

As for
Quote:
I have already tried adding my IP table rules with the package called: iptables-persistent package
When I used this package with my rules, I did not have an outgoing connection through the VPN tunnel, and a reboot didn't solve that.that is why I thought it wouldn't make a difference with the iptable-save.
I don't understand this - I understand what you're saying, I just don't understand why it's happening.
 
Old 10-31-2014, 03:31 PM   #7
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
And of course, if all vpn-remote addresses already are allowed, give us this:
The result of iptables -L *when everything works* and the same when vpn is blocked.
You have public ip's there so maybe you don't want to post them. But just compare for yourself the output of "iptables -L" before & after, and compare it with the list of vpn addresses you have.
 
Old 10-31-2014, 03:33 PM   #8
Dannermax
LQ Newbie
 
Registered: Jun 2014
Posts: 26

Original Poster
Rep: Reputation: Disabled
Okay, let's say you are right about the IP addresses.but where in the list of rules would I put them, and how would they look like?

Also for the ICMP rules, where Do I put them in?

It is not because I am lazy and do not want to Google this, but it is just too complex for me to understand.but I hope you are right about the IP addresses...seems logic :-)
 
Old 10-31-2014, 03:36 PM   #9
brebs
Member
 
Registered: May 2013
Posts: 89

Rep: Reputation: Disabled
No, you're both missing the point about ICMP. The "echo" part of ICMP is insignificant. Destination unreachable is *far* more important.

Just google "icmp blocking", and read e.g. this.

Rate-limit ICMP if you're paranoid, but if you're *normal*, then just allow *ALL* ICMP through. Or point to an actual present-day vulnerability regarding ICMP (ignoring the boring DoS)
 
Old 10-31-2014, 03:37 PM   #10
Dannermax
LQ Newbie
 
Registered: Jun 2014
Posts: 26

Original Poster
Rep: Reputation: Disabled
Quote:
And of course, if all vpn-remote addresses already are allowed, give us this:
The result of iptables -L *when everything works* and the same when vpn is blocked.
You have public ip's there so maybe you don't want to post them. But just compare for yourself the output of "iptables -L" before & after, and compare it with the list of vpn addresses you have.
I will do this as soon as possible.my time at the computer is limited at the moment, but I really want to solve this problem.but I will report back soon!
 
Old 11-01-2014, 10:43 AM   #11
Dannermax
LQ Newbie
 
Registered: Jun 2014
Posts: 26

Original Poster
Rep: Reputation: Disabled
Okay, I now have an error log:

Code:
root@raspberrypi:/home/pi# tail -F /var/log/syslog
Nov  1 10:30:23 raspberrypi kernel: [184736.259978] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39852 DF PROTO=UDP 

SPT=45923 DPT=53 LEN=40
Nov  1 10:30:28 raspberrypi ovpn-My–VPN–service_linux [2269]: RESOLVE: Cannot resolve host address: My–VPN-hostname.net: [TRY_AGAIN] A temporary error 

occurred on an authoritative name server.
Nov  1 10:30:28 raspberrypi kernel: [184741.264621] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39853 DF PROTO=UDP 

SPT=53456 DPT=53 LEN=40
Nov  1 10:30:38 raspberrypi kernel: [184751.272291] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39854 DF PROTO=UDP 

SPT=48792 DPT=53 LEN=40
Nov  1 10:30:43 raspberrypi kernel: [184756.278095] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39855 DF PROTO=UDP 

SPT=51924 DPT=53 LEN=40
Nov  1 10:30:48 raspberrypi kernel: [184761.283005] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39856 DF PROTO=UDP 

SPT=57933 DPT=53 LEN=40
Nov  1 10:30:53 raspberrypi kernel: [184766.287643] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39857 DF PROTO=UDP 

SPT=48068 DPT=53 LEN=40
Nov  1 10:30:58 raspberrypi kernel: [184771.293265] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39858 DF PROTO=UDP 

SPT=35999 DPT=53 LEN=40
Nov  1 10:31:03 raspberrypi kernel: [184776.297798] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39859 DF PROTO=UDP 

SPT=43460 DPT=53 LEN=40
Nov  1 10:31:08 raspberrypi kernel: [184781.301535] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39860 DF PROTO=UDP 

SPT=49379 DPT=53 LEN=40
Nov  1 10:31:13 raspberrypi ovpn-My–VPN-service_linux[2269]: RESOLVE: Cannot resolve host address: My–VPN-hostname.net: [TRY_AGAIN] A temporary error 

occurred on an authoritative name server.
Nov  1 10:31:13 raspberrypi kernel: [184786.306187] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39861 DF PROTO=UDP 

SPT=52816 DPT=53 LEN=40
Nov  1 10:31:23 raspberrypi kernel: [184796.313764] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39862 DF PROTO=UDP 

SPT=35611 DPT=53 LEN=40
Nov  1 10:31:28 raspberrypi kernel: [184801.319973] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39863 DF PROTO=UDP 

SPT=38079 DPT=53 LEN=40
Nov  1 10:31:33 raspberrypi kernel: [184806.324437] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39864 DF PROTO=UDP 

SPT=55028 DPT=53 LEN=40
Nov  1 10:31:38 raspberrypi kernel: [184811.329463] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39865 DF PROTO=UDP 

SPT=36202 DPT=53 LEN=40
Nov  1 10:31:43 raspberrypi kernel: [184816.333453] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39866 DF PROTO=UDP 

SPT=42974 DPT=53 LEN=40
Nov  1 10:31:48 raspberrypi kernel: [184821.338035] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39867 DF PROTO=UDP 

SPT=53336 DPT=53 LEN=40
Nov  1 10:31:53 raspberrypi kernel: [184826.342945] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39868 DF PROTO=UDP 

SPT=45232 DPT=53 LEN=40
Nov  1 10:31:58 raspberrypi ovpn-My–VPN-service_linux[2269]: RESOLVE: Cannot resolve host address: My–VPN-hostname.net: [TRY_AGAIN] A temporary error 

occurred on an authoritative name server.
Nov  1 10:31:58 raspberrypi kernel: [184831.347327] IN= OUT=eth0 SRC=192.168.1.46 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39869 DF PROTO=UDP 

SPT=36970 DPT=53 LEN=40
^C
root@raspberrypi:/home/pi#
I also did:

iptables – L –n

And I compare the IP addresses from when the tunnel was blocked, and when I had just restarted the System and the VPN was working. each output gave me 17 different IP addresses, and they were exactly the same in both incidents.

So what does this log tell you?
 
Old 11-01-2014, 12:37 PM   #12
brebs
Member
 
Registered: May 2013
Posts: 89

Rep: Reputation: Disabled
DPT=53 means destination port 53, i.e. DNS server lookups.

So, switch to a better DNS server? Use dnsmasq (easiest to set up) or unbound (a proper *recursive* DNS server) - either of them will cache your DNS.
 
Old 11-01-2014, 01:50 PM   #13
sag47
Senior Member
 
Registered: Sep 2009
Location: Raleigh, NC
Distribution: Ubuntu, PopOS, Raspbian
Posts: 1,899
Blog Entries: 36

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
192.168.1.1 is your DNS server according to those logs (port 53 UDP). In your iptables-rules you don't list allowing port 53 at all. The log specifically says you're blocking outbound DNS.

Code:
iptables -A OUTPUT -p udp -d 192.168.1.0/24 -m state --state NEW -m udp --dport 53
That rule should go before your OUTPUT reject rule because order matters. When your tunnel "stops working" ping by IP rather than DNS name and ensure that works (in your rules you're currently blocking ICMP ping). To allow ping...

Code:
iptables -A OUTPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
If it does then it is most likely just a DNS problem and the above rule should fix it. Some websites working but others not indicates you cache some DNS before you tunnel and when the DNS cache expires for those hosts it seems to "stop working randomly".

Where is 192.168.1.1? Is it an interface on the same box as these iptables rules and VPN host? If so your rule should look something like this.

Code:
 iptables -A INPUT -p udp -s 192.168.1.0/24 --m state --state NEW -m udp --dport 53
Blocking ICMP does not make much of a difference as far as your tunnel allowing traffic. Though I agree blocking it from your local networks is silly. You should allow it so clients have the ability to troubleshoot. Restrict ICMP to be allowed from local sources only.

Code:
iptables -A INPUT -s 192.168.1.0/24 -p icmp -j ACCEPT
I have a blog post where I share all of my firewall rules. Feel free to browse it and take any ideas you want. Also, I feel it is a little cleaner to create an /etc/iptables.rules file in iptables-save format and then add an iptables-restore command to /etc/rc.local.

Code:
iptables-restore < /etc/iptables.rules

Last edited by sag47; 11-01-2014 at 02:19 PM. Reason: Adding more iptables examples
 
Old 11-01-2014, 02:19 PM   #14
Dannermax
LQ Newbie
 
Registered: Jun 2014
Posts: 26

Original Poster
Rep: Reputation: Disabled
Quote:
ping by IP rather than DNS name and ensure that works
I use this command to check whether or not the tunnel is working:
Code:
Curl ifconfig.me
What kind of ping would you say this is? And can I still use the first rule you posted?

The IP address: 192.168.1.1
is my router.so what do you make of that?

I will have a look at your blog post.I just hope that I am able to understand any of it.:-)

Quote:
That rule should go before your OUTPUT Reject rule
By this you mean that the rule should be located ABOVE the reject output rule?

Sorry about all the questions..:-)
 
Old 11-01-2014, 02:27 PM   #15
sag47
Senior Member
 
Registered: Sep 2009
Location: Raleigh, NC
Distribution: Ubuntu, PopOS, Raspbian
Posts: 1,899
Blog Entries: 36

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
Quote:
Originally Posted by Dannermax View Post
I use this command to check whether or not the tunnel is working:
Code:
Curl ifconfig.me
What kind of ping would you say this is? And can I still use the first rule you posted?
That's not a ping but an HTTP GET request over port 80. By ping I meant ICMP ping using the actual ping command. Yes, that first rule should fix your issue.

Quote:
Originally Posted by Dannermax View Post
The IP address: 192.168.1.1
is my router.so what do you make of that?

I will have a look at your blog post.I just hope that I am able to understand any of it.:-)
If that's your router then you only need that outbound rule I posted. Your router is routing DNS queries so it is the DNS server as far as your clients are concerned.


Quote:
Originally Posted by Dannermax View Post
By this you mean that the rule should be located ABOVE the reject output rule?

Sorry about all the questions..:-)
Yes that's what I mean. No need to apologize for curiosity. Also, re-read my last post. I heavily updated it with more examples.

Last edited by sag47; 11-01-2014 at 02:34 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Internet connection randomly being dropped - correct way to reconnect it? ljones0 Linux - Networking 10 10-04-2014 10:38 PM
Linux Gateway (CentOS) Randomly Loses Internet Connection dschuett Linux - Networking 1 12-20-2012 10:15 AM
Intranet blocking internet connection - proxy elrondil Linux - Networking 2 11-22-2012 10:00 AM
[SOLVED] Internet connection randomly freezes. [MAC OS X] lupusarcanus Other *NIX 9 07-31-2010 10:59 PM
Internet connection drops randomly on Kubuntu 5.04 Electrolyte Linux - Networking 0 06-14-2005 12:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration