What rule is missing in iptables?

V

vakohafa2017-05-22 03:27:52

linux

vakohafa, 2017-05-22 03:27:52

Installed SSH tunnel
ssh -D 9999 [email protected] -N
In theory, now you can connect via SOCKS5 to 127.0.0.1:9999
In firefox, I prescribe 127.0.0.1:9999 and nothing works, but if you prescribe localhost: 9999, then for some reason it works.
Installed ProxyChains-NG, does not work at all, although the configs are correct, stuffed everything into a clean virtual machine, everything works.
Concluded that the matter is in iptables.
Where exactly, I did not understand.
Here is what is in iptables

# Generated by iptables-save v1.4.7 on Sat Apr 25 00:54:56 2017
*nat
:PREROUTING ACCEPT [33:8870]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [3:184]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Sat Apr 25 00:54:56 2017
# Generated by iptables-save v1.4.7 on Sat Apr 25 00:54:56 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -s 111.222.333.444/32 -p udp -m udp --sport 1194 -m state --state RELATED,E$
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -d 111.222.333.444/32 -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
-A OUTPUT -d 111.222.333.444/32 -o wlan0 -p udp -m udp --dport 1194 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Apr 25 00:54:56 2017

What is missing from the rules?
SSH tunnel goes inside the VPN, iptables is configured to block all traffic except vpnovsky.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

D

Daemon23RUS, 2017-05-22
@Daemon23RUS

SSH tunnel goes inside the VPN, iptables is configured to block all traffic except vpnovsky.

127.0.0.1:9999 - what do you think it refers to? to everything or vpn?

D

Denis Sechin, 2017-05-22
@tamogavk

Iptables -L -v -t nat

H

Host-Eiweb, 2017-05-22
@Host-Eiweb

Open Yandex and type in 127.0.0.1 in the search bar what kind of address this is
. You will receive an answer immediately.
Is it really that hard to do that.

Y

younghacker, 2017-06-05
@younghacker

If it finds by name but does not find it by address, then the point is that the address and name are resolved in the wrong place or another protocol is used. I would look at what is there with IPv4 and IPv6.
For your case, I would raise the tunnel a little differently:
The tcpdump utility will help you learn more about network traffic from your side and from the server side. For Windows there is wireshark and wincap.
As for iptables, it contains rules that will never work.

-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -d 111.222.333.444/32 -o eth0 -p udp -m udp --dport 1194 -j ACCEPT

The first one will work, the second never. One of these rules is redundant. Rather the second.
Because if you remove the first one, then ssh will be blocked in eth0 or will have to run through tun.
In the output chains, you have the wlan0 interface defined
And they forgot about him at the entrance.
Although it is not clear whose iptables is. :) Client or server?