ufw rules suddenly stopped working ?

netpumber · 04-17-2017, 04:54 PM

Hi.

As i described in an earlier post I have a VPS where inside it I have an lxc container running openvpn. Until now everything worked perfectly but now something is broken when trying to make some changes.

So I tried to set up ufw's rules from the very beginning and see what is happening. Here is what I'm doing :

HOST : br0 (192.168.1.1)
GUEST : veth0 (192.168.1.2)

@HOST

Code:

// Basic firewall rules

ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp

// enable packet forwarding

vim /etc/sysctl.conf:
net.ipv4.ip_forward = 1

// install dnsmasq to handle guest's dns requests


vim etc/dnsmasq.conf
interface=br0 

// NAT table rule 

vim /etc/ufw/before.rules

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]

# Flush before append the new rules
-F

# Forward traffic from br0 through eth0.
-A POSTROUTING -s 192.168.1.2/24 -o eth0 -j MASQUERADE

# Forward 1194 port data to the openVPN container                               
-A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

// Allow dnsmasq to send and receive data between host and container and open 1194 port
ufw allow from 192.168.1.2
ufw allow to 192.168.1.2
ufw allow 1194/udp

@GUEST

Code:

// Forward traffic from tun0 through veth0.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o veth0 -j MASQUERADE

Am I missing something ? Is something wrong with these ?

Trouble shoot until now :

1) VPN Connection is initializing from a client PC but there is no internet access (browsing , ping, nslookup)

2) VPN container has internet access as expected (ping, nslookup apt apdate, etc)

Any idea is welcomed.

Thank you.

frankbell · 04-19-2017, 09:55 PM

Just to make sure I understand, you are connecting from computer A to computer B via a VPN. When you connect to computer B via the VPN, you do not have internet access on computer B; therefore, the problem must reside on computer B. Is that a correct explanation? If not, please set me straight.

Do you have internet access on computer B if you are sitting at it locally?

What is the output of

Code:

iptables -L

on computer B.

(You will likely have to issue the command as root.)

netpumber · 04-20-2017, 02:13 AM

Finally I removed ufw firewall at all. Here is a better explanation of the procedure.

I have a VPS and inside it I have setup an lxc container with openvpnv server running at it.

So @ HOST machine i have only these two iptables rules

Code:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194

Code:

*filter
:INPUT ACCEPT [222:25943]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [200:31470]
COMMIT
# Completed on Wed Apr 19 19:47:31 2017
# Generated by iptables-save v1.4.21 on Wed Apr 19 19:47:31 2017
*nat
:PREROUTING ACCEPT [30:1828]
:INPUT ACCEPT [30:1828]
:OUTPUT ACCEPT [4:255]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

while @ guest

Code:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o veth0 -j MASQUERADE

Code:

*filter
:INPUT ACCEPT [69:7230]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49:5159]
COMMIT
# Completed on Wed Apr 19 19:48:36 2017
# Generated by iptables-save v1.4.21 on Wed Apr 19 19:48:36 2017
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [11:560]
:POSTROUTING ACCEPT [11:560]
-A POSTROUTING -s 10.8.0.0/24 -o veth0 -j MASQUERADE
COMMIT

Here is the configuration of the lxc container

1) Created a bridge device (br0) @ host [/etc/network/interfaces]

Code:

auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

# Bridge interface
auto br0
iface br0 inet static
address 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255
bridge_ports none
bridge_fd 2.0
bridge_maxwait 1

2) Link it with lxc container's veth0 interface [/var/lib/lxc/VPN/config]

Code:

# Template used to create this container: /usr/share/lxc/templates/lxc-debian
# Parameters passed to the template: -r jessie
# For additional config options, please look at lxc.container.conf(5)
#lxc.network.type = empty
lxc.rootfs = /var/lib/lxc/VPN/rootfs

# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf

# Container specific configuration
lxc.mount = /var/lib/lxc/VPN/fstab
lxc.utsname = VPN
lxc.arch = amd64
lxc.autodev = 1
lxc.kmsg = 0
lxc.start.auto = 1

# Network config
lxc.network.type = veth
lxc.network.veth.pair = vethVPN
lxc.network.name = veth0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:42:1d:a7
lxc.network.link = br0

## for openvpn
lxc.mount.entry = /dev/net dev/net none bind,create=dir
lxc.cgroup.devices.allow = c 10:200 rwm

and 3) assign a static ip @ guest machine [/etc/network/interfaces]

Code:

auto lo
iface lo inet loopback

#auto eth0
#iface eth0 inet dhcp

auto veth0
iface veth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.1

4) A dnsmasq is running @ host listening on br0 interface.

The think is that when I'm connecting to the vpn server, vpn client cannot ping http://www.google.com and cannot visit any site because as I understand something is getting wrong with the DNS requests.