Hi all, I've got a networking issue that's confusing me.
When I try to ssh out, I can see the packets being accepted by the rule in the OUTPUT chain, but I can't see them with TCPDUMP. Nothing is hitting the rules in the nat POSTROUTING chain, either. I can see from the ACCEPT rule (in the iptables output) that the packet is going through the interface I expect (enp4s0.1441) Any ideas? I suspect it's something silly I've just failed to spot ... Note that yesterday, when I was on site, I wasn't trying this, but had similar problems with traffic going out - dns packets were being accepted, but not hitting the postrouting snat rule. Today, I can't get to the machine I was testing from, which is how I found the current problem. In both cases, ping works - I can ping the machine I'm trying to ssh to (10.144.1.10), and yesterday I could ping the dns server (8.8.8.8 for test purposes) Background and other info: The system is (supposed to be) a router, based on an old (atom-based) HP thin client connected to a VLAN switch. It's running buster. I've built routers before, but not using VLANs and not (I think) on buster. I'm using iptables-legacy (because I'm relatively familiar with it). Other oddities are: - it's running OpenVPN (which is working; that's how I'm connecting to it today) - there's an odd route I've added to allow talking to bits of my home LAN, despite the external interface of this router being on the same address range (too many people choose 192.168.1.0/24) Here's the routing table: ------------8<-------------------- richard@svrouter:~$ sudo ip route default via 192.168.1.1 dev enp4s0.1 onlink 10.144.1.0/24 dev enp4s0.1441 proto kernel scope link src 10.144.1.1 10.144.2.0/24 dev enp4s0.1442 proto kernel scope link src 10.144.2.1 192.168.1.0/24 dev enp4s0.1 proto kernel scope link src 192.168.1.15 192.168.1.96/27 via 192.168.94.1 dev tun0 192.168.94.0/24 dev tun0 proto kernel scope link src 192.168.94.10 ------------8<-------------------- /etc/network/interfaces: ------------8<-------------------- # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # # The primary network interface # auto enp4s0 # iface enp4s0 inet dhcp auto enp4s0.1 iface enp4s0.1 inet static address 192.168.1.15/24 gateway 192.168.1.1 auto enp4s0.1441 iface enp4s0.1441 inet static address 10.144.1.1/24 auto enp4s0.1442 iface enp4s0.1442 inet static address 10.144.2.1/24 ------------8<-------------------- (interfaces.d is empty) iptables -vnL: ------------8<-------------------- Chain INPUT (policy ACCEPT 26 packets, 8528 bytes) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 LOG flags 0 level 4 1109 99188 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT 25 packets, 1750 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- enp4s0.1 enp4s0.1441 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- enp4s0.1441 enp4s0.1 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- enp4s0.1441 enp4s0.1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT tcp -- enp4s0.1441 enp4s0.1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- enp4s0.1441 enp4s0.1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT tcp -- enp4s0.1441 enp4s0.1 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 676 46636 LOG udp -- enp4s0.1441 enp4s0.1 0.0.0.0/0 0.0.0.0/0 udp dpt:53 LOG flags 0 level 4 prefix "PRE-ACCEPT " 676 46636 ACCEPT udp -- enp4s0.1441 enp4s0.1 0.0.0.0/0 0.0.0.0/0 udp dpt:53 25 1750 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FWD " Chain OUTPUT (policy ACCEPT 53 packets, 3180 bytes) pkts bytes target prot opt in out source destination 731 128K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 203.118.153.20 udp spt:1194 dpt:1194 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 1 76 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 14 840 LOG tcp -- * * 0.0.0.0/0 10.144.1.0/24 tcp dpt:22 LOG flags 0 level 4 prefix "OUT PRE-ACCEPT " 14 840 ACCEPT tcp -- * enp4s0.1441 0.0.0.0/0 10.144.1.0/24 tcp dpt:22 0 0 ACCEPT tcp -- * enp4s0.1 0.0.0.0/0 10.144.1.0/24 tcp dpt:22 0 0 LOG tcp -- * * 0.0.0.0/0 10.144.1.0/24 tcp dpt:22 LOG flags 0 level 4 ------------8<------------------- richard@svrouter:~$ cat /proc/sys/net/ipv4/ip_forward 1
signature.asc
Description: OpenPGP digital signature