Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
T
T
trenikiVshtaniki2021-03-18 12:29:53
iptables
trenikiVshtaniki, 2021-03-18 12:29:53

Why doesn't subnet traffic go to tun0?

Good afternoon.
I have the following iptables config:

spoiler

# Generated by iptables-save v1.8.4 on Thu Mar 18 07:24:31 2021
*filter
:INPUT ACCEPT [168:26798]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2040:346660]
-A INPUT -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 60 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -i eth0 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -s 10.101.0.0/16 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.101.0.0/16 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
COMMIT
# Completed on Thu Mar 18 07:24:31 2021
# Generated by iptables-save v1.8.4 on Thu Mar 18 07:24:31 2021
*nat
:PREROUTING ACCEPT [690:65645]
:INPUT ACCEPT [174:27966]
:OUTPUT ACCEPT [28:2069]
:POSTROUTING ACCEPT [523:35444]
-A OUTPUT -m owner --uid-owner 115 -j RETURN
-A OUTPUT -p tcp -j REDIRECT --to-ports 9040
-A POSTROUTING -s 10.101.0.0/16 -o tun0 -j MASQUERADE
-A POSTROUTING -s 10.101.0.0/16 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Thu Mar 18 07:24:31 2021
# Generated by iptables-save v1.8.4 on Thu Mar 18 07:24:31 2021
*mangle
:PREROUTING ACCEPT [4205:647189]
:INPUT ACCEPT [3290:583146]
:FORWARD ACCEPT [889:59439]
:OUTPUT ACCEPT [2040:346660]
:POSTROUTING ACCEPT [2929:406099]
-A FORWARD -s 10.101.0.0/16 -o eth0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Thu Mar 18 07:24:31 2021



According to the rule
-A POSTROUTING -s 10.101.0.0/16 -o tun0 -j MASQUERADE
ipsec client traffic should go to tun0, but for some reason this does not happen and there is no "Internet" for ipsec. What's wrong with the config?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
H
hint000, 2021-03-18
@trenikiVshtaniki

According to the rule
-A POSTROUTING -s 10.101.0.0/16 -o tun0 -j MASQUERADE
ipsec client traffic should go to tun0

No. According to this rule, if traffic goes to tun0, then it should be masqueraded. And if not in tun0, then you should not masquerade.
iptables does not directly control which interface to direct a packet to. Indirectly - through DNAT.
Choosing a network interface is a routing task, not iptables.

Similar questions
D
Dmitry2013-12-06 14:21:26
Allow dns queries in iptables 3Reply
A
Antuan19792020-07-23 16:54:57
Can you critique the iptables rules? 1Reply
K
kovalr2016-03-22 01:49:44
How to reorder iptables fail2ban rules? 1Reply
I
Ivan2018-08-14 15:32:42
How not to litter iptables with extra entries after applying iptables-save? 1Reply
I
imwode2014-01-18 21:01:25
How to set up a firewall in debian (cheapest vps from infobox without kernel linking option)? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question