Did iptables rules block DNS/HTTP requests from a LXC container with openvpn serrver ?

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Post Reply
arronar
OpenVpn Newbie
Posts: 7
Joined: Tue Apr 18, 2017 11:35 am

Did iptables rules block DNS/HTTP requests from a LXC container with openvpn serrver ?

Post by arronar » Tue Apr 18, 2017 11:41 am

Hello.

I am new at openvpn and I set up a lxc container running openvpn server in a VPS machine.
So here are the iptables rules that I am using in HOST machine.

Code: Select all

# Generated by iptables-save v1.4.21 on Tue Apr 18 10:37:20 2017
*nat
:PREROUTING ACCEPT [412:26844]
:INPUT ACCEPT [14:863]
:OUTPUT ACCEPT [4:263]
:POSTROUTING ACCEPT [24:1123]
-A PREROUTING -i eth0 -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Apr 18 10:37:20 2017
# Generated by iptables-save v1.4.21 on Tue Apr 18 10:37:20 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [999:126221]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A UDP -p udp -m udp --dport 1194 -j ACCEPT
-A fw-interfaces -i br0 -j ACCEPT
-A fw-open -d 192.168.1.2/32 -p udp -m udp --dport 1194 -j ACCEPT
COMMIT
# Completed on Tue Apr 18 10:37:20 2017
and here the commands I used to create them

Code: Select all

// Filter table
# iptables -N TCP
# iptables -N UDP
# iptables -P OUTPUT ACCEPT
# iptables -P INPUT DROP
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
# iptables -A TCP -p tcp --dport 22 -j ACCEPT
# iptables -A UDP -p udp --dport 1194 -j ACCEPT

// NAT table

# iptables -N fw-interfaces
# iptables -N fw-open
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -j fw-interfaces 
# iptables -A FORWARD -j fw-open 
# iptables -A FORWARD -j REJECT --reject-with icmp-host-unreachable
# iptables -P FORWARD DROP
# iptables -A fw-interfaces -i br0 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 192.168.1.1/24 -o eth0 -j MASQUERADE

# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1194 -j DNAT --to 192.168.1.2:1194
# iptables -A fw-open -d 192.168.1.2 -p udp --dport 1194 -j ACCEPT
The host has an eth0 (10.8.44.199) interface and a bridge br0 (192.168.1.1) interface
The guest has veth0 (192.168.1.2) interface and a tun0 (10.8.0.1) from openvpn server

At this stage, in guest machine everything is working (ping, nslookup, apt-update). The problem now is that if i connect from another machine a vpn client , it seems that it losts DNS/HTTP requests routing. In this other machine i can ping specific IPs (e.g ping 172.217.17.100) but not domain names (e.g ping www.google.com) and cannot visit any IP from a web browser.

A dnsmasq server is running on HOST and listens at br0 interface. Should i add any specific rule for that ?

Thank you.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2830
Joined: Fri Jun 03, 2016 1:17 pm

Re: Did iptables rules block DNS/HTTP requests from a LXC container with openvpn serrver ?

Post by TinCanTech » Tue Apr 18, 2017 12:23 pm

arronar wrote:I set up a lxc container running openvpn server in a VPS machine
arronar wrote:*nat
<snip>
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
Due to VPS, this may need to be like so:

Code: Select all

iptables -t nat -A POSTROUTING -s x.x.x.x/xx -j SNAT --to-source y.y.y.y
Where:
  • x.x.x.x/xx is your VPN subnet, eg. 10.8.0.0/24
  • y.y.y.y is your server public IP address, eg. 12.34.56.78

arronar
OpenVpn Newbie
Posts: 7
Joined: Tue Apr 18, 2017 11:35 am

Re: Did iptables rules block DNS/HTTP requests from a LXC container with openvpn serrver ?

Post by arronar » Tue Apr 18, 2017 12:34 pm

Sorry for not mentioning that in the previous post but at the container i have the following MASQUERADE rule that might be the same with the one you posted above, or I might be wrong.

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o veth0 -j MASQUERADE
but i believe that they are doing the same thing.

arronar
OpenVpn Newbie
Posts: 7
Joined: Tue Apr 18, 2017 11:35 am

Re: Did iptables rules block DNS/HTTP requests from a LXC container with openvpn serrver ?

Post by arronar » Tue Apr 18, 2017 12:52 pm

Something else that i Just realized is the routes that added after openvpn connection initialization.

Before openvpn route -n command returns

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    303    0        0 wlp3s0
192.168.1.0     0.0.0.0         255.255.255.0   U     303    0        0 wlp3s0
and after

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    303    0        0 wlp3s0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
51.15.*.*     192.168.1.1     255.255.255.255 UGH   0      0        0 wlp3s0
128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     303    0        0 wlp3s0
So what is this 10.8.0.5 IP address ? I cannot figure out in which device this ip is bound.

Client's tun0 device has 10.8.0.6
Server's (container) tun0 device has the 10.8.0.1

and there is no 10.8.0.5 IP @ /etc/openvpn/openvpn-status.log

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2830
Joined: Fri Jun 03, 2016 1:17 pm

Re: Did iptables rules block DNS/HTTP requests from a LXC container with openvpn serrver ?

Post by TinCanTech » Tue Apr 18, 2017 1:06 pm

arronar wrote:what is this 10.8.0.5 IP address ?
It is the second parameter for --ifconfig when using --topology net30 (the default openvpn topology).

In your logs you will find the server pushes ifconfig 10.8.0.6 10.8.0.5 to the client,
these are the correct parameters. Note: 10.8.0.5 is not ping-able by design.

arronar
OpenVpn Newbie
Posts: 7
Joined: Tue Apr 18, 2017 11:35 am

Re: Did iptables rules block DNS/HTTP requests from a LXC container with openvpn serrver ?

Post by arronar » Tue Apr 18, 2017 1:09 pm

Oh yes. You are right. So this is not where my problem lies.

arronar
OpenVpn Newbie
Posts: 7
Joined: Tue Apr 18, 2017 11:35 am

Re: Did iptables rules block DNS/HTTP requests from a LXC container with openvpn serrver ?

Post by arronar » Tue Apr 18, 2017 3:14 pm

EDIT:

I tried to figure out more by using the tcpdump. By running the following commands in the HOST side first for the br0 and then for the eth0, I run a ping www.google.com command in the client machine and as you can see there is a refuse response in DNS requests.

Code: Select all

tcpdump -vvv -s 0 -l -n -i br0 port 53
14:35:14.198958 IP (tos 0x0, ttl 63, id 26100, offset 0, flags [DF], proto UDP (17), length 60)
192.168.1.2.51125 > 193.92.3.10.53: [udp sum ok] 52260+ A? www.google.com. (32)
14:35:14.275361 IP (tos 0x0, ttl 54, id 39551, offset 0, flags [none], proto UDP (17), length 40)
193.92.3.10.53 > 192.168.1.2.51125: [udp sum ok] 52260 Refused- [0q] 0/0/0 (12)

Code: Select all

tcpdump -vvv -s 0 -l -n -i eth0 port 53
14:46:07.644489 IP (tos 0x0, ttl 62, id 60493, offset 0, flags [DF], proto UDP (17), length 59)
10.8.44.199.54300 > 193.92.3.10.53: [udp sum ok] 39571+ A? www.google.gr. (31)
14:46:07.713732 IP (tos 0x0, ttl 55, id 12008, offset 0, flags [none], proto UDP (17), length 40)
193.92.3.101.53 > 10.8.44.199.56802: [udp sum ok] 59525 Refused- [0q] 0/0/0 (12)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2830
Joined: Fri Jun 03, 2016 1:17 pm

Re: Did iptables rules block DNS/HTTP requests from a LXC container with openvpn serrver ?

Post by TinCanTech » Tue Apr 18, 2017 4:25 pm

Post:

Code: Select all

brctl show

arronar
OpenVpn Newbie
Posts: 7
Joined: Tue Apr 18, 2017 11:35 am

Re: Did iptables rules block DNS/HTTP requests from a LXC container with openvpn serrver ?

Post by arronar » Tue Apr 18, 2017 4:41 pm

brctl show at HOST

Code: Select all

bridge name	bridge id		STP enabled	interfaces
br0		8000.fe8094931239	no		vethG9K6VH
Is there any chance to be a miss configuration at openvpn's client and server config files ?


arronar
OpenVpn Newbie
Posts: 7
Joined: Tue Apr 18, 2017 11:35 am

Re: Did iptables rules block DNS/HTTP requests from a LXC container with openvpn serrver ?

Post by arronar » Wed Apr 19, 2017 1:09 pm

I don't understand. I think that i have these iptables rules too.

Post Reply