Ufw firewall port forwarding for more than one IPs interferes in DNS requests ?

netpumber · 04-15-2017, 04:15 AM

Hi.
I have a VPS in which I'm running two different LXC containers (debian Jessie). The first is a VPN server and the second one is a web server.
In the host machine I'm running ufw firewall and at first I was only used it to port forward traffic only for the openvpn. And thus my /etc/ufw/before.rules file was

Code:

*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # Flush everything before append -F
# Forward 1194 port data to the openVPN container
-A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194

# Forward traffic from br0 through eth0.
-A POSTROUTING -s 192.168.1.2/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

At this step ping and apt update commands are working in both lxc containers (vpn , web). Then i decided to create another port forward rule between port 80 and web lxc container. Then the before.rules file became :

Code:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Flush everything before append
-F

# Forward 1194 port data to the openVPN container
-A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
# Forward 80 port data to the WEB container
-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.4:80

# Forward traffic from br0 through eth0.
-A POSTROUTING -s 192.168.1.2/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

I restart the ufw firewall and Although the ping command is working the apt update command in both containers stopped working and stays at this step for ever.

Quote:

0% [Connecting to http.debian.net (149.20.4.15)]

If i remove the last added line from before.rules file then everything is working again.

Why is this happening ? Do these iptables rule interfere with DNS requests or something else ?

Any hint or idea is welcomed.
Thank you.

lazydog · 04-15-2017, 10:52 AM

First you should be using STATEFUL rules not STATELESS.

Second since you are using STATELESS rules you are telling ALL http trafic it needs to go to 192.168.1.4 no exceptions.

Quote:

-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.4:80

Third your are tell only the traffic from 192.168.1.2 needs to be MASQUERADED.

Quote:

-A POSTROUTING -s 192.168.1.2/24 -o eth0 -j MASQUERADE

The reason everything worked before is because you weren't telling 80 traffic it needed to go to another system.

To fix this you need something like this:

Code:

# ADD STATEFUL RULE SO ONLY NEW CONNECTION TO PORT 80 ARE REDIRECTED
-A PREROUTING -p tcp -m conntrack --ctstate NEW --dport 80 -j DNAT --to-destination 192.168.1.4:80
# EVERYTHING LEAVING INTERFACE ETH0 SHOULD BE MASQUERATED
-A POSTROUTING -o eth0 -j MASQUERADE

What the above does is only redirect port 80 traffic that is new incoming and masqs all outbound traffic. This allows your internal system to communicate with http and not be redirected from your rules.

In oreder for the above to work you need to re-write your rules so they are STATEFUL using NEW, ESTABLISH and RELATED.
Without seeing you entire rule set I cannot tell you what you need to change.

netpumber · 04-18-2017, 06:01 AM

Thank you for answering first of all.

I decide to remove the ufw firewall and rewrite from the beginning the rules in iptables.

Let's for a while forget the existence of the web container and thus we only have the VPN one. So here are the iptables rules that I am using in HOST machine.

Code:

 # Generated by iptables-save v1.4.21 on Tue Apr 18 10:37:20 2017
*nat
:PREROUTING ACCEPT [412:26844]
:INPUT ACCEPT [14:863]
:OUTPUT ACCEPT [4:263]
:POSTROUTING ACCEPT [24:1123]
-A PREROUTING -i eth0 -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Apr 18 10:37:20 2017
# Generated by iptables-save v1.4.21 on Tue Apr 18 10:37:20 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [999:126221]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A UDP -p udp -m udp --dport 1194 -j ACCEPT
-A fw-interfaces -i br0 -j ACCEPT
-A fw-open -d 192.168.1.2/32 -p udp -m udp --dport 1194 -j ACCEPT
COMMIT
# Completed on Tue Apr 18 10:37:20 2017

And here the commands I used to create them :

Code:

// Filter table
# iptables -N TCP
# iptables -N UDP
# iptables -P OUTPUT ACCEPT
# iptables -P INPUT DROP
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
# iptables -A TCP -p tcp --dport 22 -j ACCEPT
# iptables -A UDP -p udp --dport 1194 -j ACCEPT

// NAT table

# iptables -N fw-interfaces
# iptables -N fw-open
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -j fw-interfaces 
# iptables -A FORWARD -j fw-open 
# iptables -A FORWARD -j REJECT --reject-with icmp-host-unreachable
# iptables -P FORWARD DROP
# iptables -A fw-interfaces -i br0 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 192.168.1.1/24 -o eth0 -j MASQUERADE

# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1194 -j DNAT --to 192.168.1.2:1194
# iptables -A fw-open -d 192.168.1.2 -p udp --dport 1194 -j ACCEPT

Just to remind you.

The host has an eth0 (10.8.44.199) interface and a bridge br0 (192.168.1.1) interface
The guest has veth0 (192.168.1.2) interface and a tun0 (10.8.0.1) from openvpn server

At this stage, in guest machine everything is working (ping, nslookup, apt-update). The problem now is that if i connect from another machine to the openvpn server , it seems that it losts DNS/HTTP requests routing. In this other machine i can ping specific IPs (e.g ping 172.217.17.100) but not domain names (e.g ping www.google.com) and cannot visit any IP from a web browser.

A dnsmasq server is running on HOST and listens at br0 interface. Should i add any specific rule for that ?

Any idea on that problem ?

lazydog · 04-18-2017, 10:48 AM

Quote:

Originally Posted by netpumber

Thank you for answering first of all.

You are welcome

I cleaned up your rules a bit making it easier to follow the flows:

Code:

## Filter table
################

## INPUT ##
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

iptables -N UDP
iptables -A UDP -p udp --dport 1194 -j ACCEPT
iptables -A UDP -p udp -j DROP

iptables -N TCP
iptables -A TCP -p tcp --dport 22 -j ACCEPT
iptables -A TCP -p tcp -j REJECT --reject-with tcp-reset

iptables -P INPUT DROP


## OUTPUT ##
iptables -P OUTPUT ACCEPT


## FORWARD ##
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j fw-interfaces 
iptables -A FORWARD -j fw-open 

iptables -N fw-interfaces
iptables -A fw-interfaces -i br0 -j ACCEPT

iptables -N fw-open
iptables -A fw-open -d 192.168.1.2 -p udp --dport 1194 -j ACCEPT

iptables -A FORWARD -j REJECT --reject-with icmp-host-unreachable



## NAT table
############

## PREROUTE ##
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1194 -j DNAT --to 192.168.1.2:1194

## POSTROUTING ##
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Quote:

At this stage, in guest machine everything is working (ping, nslookup, apt-update). The problem now is that if i connect from another machine to the openvpn server , it seems that it losts DNS/HTTP requests routing. In this other machine i can ping specific IPs (e.g ping 172.217.17.100) but not domain names (e.g ping www.google.com) and cannot visit any IP from a web browser.

A dnsmasq server is running on HOST and listens at br0 interface. Should i add any specific rule for that ?

Any idea on that problem ?

You might not have finished setting up your OpenVPN solution for when clients connect. Once they connect they should be told how to access DNS. This is something I haven't had to setup yet.

netpumber · 04-18-2017, 11:46 AM

Quote:

You might not have finished setting up your OpenVPN solution for when clients connect. Once they connect they should be told how to access DNS. This is something I haven't had to setup yet.

Actually, in the lxc container with the vpn server I have this iptable rule to:

Code:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o veth0 -j MASQUERADE

where veth0 is the interface which is connected to the host through br0 interface
and the 10.8.0.0/24 is the subnet of tun0 interface that openvpn server creates

EDIT:

I have added also this rule in your list, in order to be able run ping , apt update , etc from containers

Code:

iptables -A INPUT -i br0 -j ACCEPT