I have two servers, both set up (bar names) identically. Both are on VPS, one uses the host dhcp setting for interfaces and dns, the other uses its own dns server and network interface settings.
I have duplicated iptables.up.rules on both server so I am reasonably confident that is not the issue. From my client Mac I can connect to both VPN servers. One works perfectly, the other does not as it stops all internet traffic with the occasional message (on whatsmyip for example) cannot resolve host.
I think my OpenVPN setup is fine and it is an underlying network issue causing the problem but I am not experienced enough to find or even understand it! So I am posting the problematic details to see if anyone can offer some guidance.
TO be clear, I did not generate these iptables. They were generated by firewalld or the server or both will some intervention by me, i.e., masquerading and I am not a firewall expert! I am happy to simplify them if it can be done but the most important item is to understand why it works on one server but not the other.
Ta.
1:*filter 2:INPUT_ZONES_SOURCE - [0:0] 3:FWDO_public - [0:0] 4:FORWARD ACCEPT [0:0] 5:INPUT_ZONES - [0:0] 6:OUTPUT_direct - [0:0] 7:FORWARD_IN_ZONES - [0:0] 8:FWDI_public - [0:0] 9:FORWARD_OUT_ZONES - [0:0] 10:INPUT_direct - [0:0] 11:FORWARD_IN_ZONES_SOURCE - [0:0] 12:INPUT ACCEPT [0:0] 13:FWDO_public_log - [0:0] 14:IN_public - [0:0] 15:FWDI_public_allow - [0:0] 16:FWDI_public_deny - [0:0] 17:FORWARD_OUT_ZONES_SOURCE - [0:0] 18:OUTPUT ACCEPT [0:0] 19:FWDO_public_deny - [0:0] 20:FWDO_public_allow - [0:0] 21:IN_public_log - [0:0] 22:IN_public_allow - [0:0] 23:FORWARD_direct - [0:0] 24:FWDI_public_log - [0:0] 25:IN_public_deny - [0:0] 26-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 27-A INPUT -i lo -j ACCEPT 28-A INPUT -j INPUT_direct 29-A INPUT -j INPUT_ZONES_SOURCE 30-A INPUT -j INPUT_ZONES 31-A INPUT -m conntrack --ctstate INVALID -j DROP 32-A INPUT -j REJECT --reject-with icmp-host-prohibited 33-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 34-A FORWARD -i lo -j ACCEPT 35-A FORWARD -j FORWARD_direct 36-A FORWARD -j FORWARD_IN_ZONES_SOURCE 37-A FORWARD -j FORWARD_IN_ZONES 38-A FORWARD -j FORWARD_OUT_ZONES_SOURCE 39-A FORWARD -j FORWARD_OUT_ZONES 40-A FORWARD -m conntrack --ctstate INVALID -j DROP 41-A FORWARD -j REJECT --reject-with icmp-host-prohibited 42-A OUTPUT -j OUTPUT_direct 43-A INPUT_direct -p tcp -m multiport -m set -j REJECT --reject-with icmp-port-unreachable --dports 22 --match-set f2b-sshd src 44-A INPUT_direct -p tcp -m multiport -m set -j REJECT --reject-with icmp-port-unreachable --dports 10000 --match-set f2b-webmin-auth src 45-A INPUT_ZONES -i eth0 -g IN_public 46-A INPUT_ZONES -g IN_public 47-A FORWARD_IN_ZONES -i eth0 -g FWDI_public 48-A FORWARD_IN_ZONES -g FWDI_public 49-A FORWARD_OUT_ZONES -o eth0 -g FWDO_public 50-A FORWARD_OUT_ZONES -g FWDO_public 51-A IN_public -j IN_public_log 52-A IN_public -j IN_public_deny 53-A IN_public -j IN_public_allow 54-A IN_public -p icmp -j ACCEPT 55-A IN_public_allow -p tcp -m tcp -m conntrack --dport 22 --ctstate NEW,UNTRACKED -j ACCEPT 56-A IN_public_allow -p tcp -m tcp -m conntrack --dport 25 --ctstate NEW,UNTRACKED -j ACCEPT 57-A IN_public_allow -p tcp -m tcp -m conntrack --dport 465 --ctstate NEW,UNTRACKED -j ACCEPT 58-A IN_public_allow -p tcp -m tcp -m conntrack --dport 21 --ctstate NEW,UNTRACKED -j ACCEPT 59-A IN_public_allow -p tcp -m tcp -m conntrack --dport 110 --ctstate NEW,UNTRACKED -j ACCEPT 60-A IN_public_allow -p tcp -m tcp -m conntrack --dport 995 --ctstate NEW,UNTRACKED -j ACCEPT 61-A IN_public_allow -p tcp -m tcp -m conntrack --dport 143 --ctstate NEW,UNTRACKED -j ACCEPT 62-A IN_public_allow -p tcp -m tcp -m conntrack --dport 993 --ctstate NEW,UNTRACKED -j ACCEPT 63-A IN_public_allow -p tcp -m tcp -m conntrack --dport 80 --ctstate NEW,UNTRACKED -j ACCEPT 64-A IN_public_allow -p tcp -m tcp -m conntrack --dport 443 --ctstate NEW,UNTRACKED -j ACCEPT 65-A IN_public_allow -p udp -m udp -m conntrack --dport 1194 --ctstate NEW,UNTRACKED -j ACCEPT 66-A IN_public_allow -p tcp -m tcp -m conntrack --dport 587 --ctstate NEW,UNTRACKED -j ACCEPT 67-A IN_public_allow -p tcp -m tcp -m conntrack --dport 53 --ctstate NEW,UNTRACKED -j ACCEPT 68-A IN_public_allow -p tcp -m tcp -m conntrack --dport 20 --ctstate NEW,UNTRACKED -j ACCEPT 69-A IN_public_allow -p tcp -m tcp -m conntrack --dport 2222 --ctstate NEW,UNTRACKED -j ACCEPT 70-A IN_public_allow -p tcp -m tcp -m conntrack --dport 10000:10100 --ctstate NEW,UNTRACKED -j ACCEPT 71-A IN_public_allow -p tcp -m tcp -m conntrack --dport 20000 --ctstate NEW,UNTRACKED -j ACCEPT 72-A IN_public_allow -p udp -m udp -m conntrack --dport 53 --ctstate NEW,UNTRACKED -j ACCEPT 73-A FWDI_public -j FWDI_public_log 74-A FWDI_public -j FWDI_public_deny 75-A FWDI_public -j FWDI_public_allow 76-A FWDI_public -p icmp -j ACCEPT 77-A FWDO_public -j FWDO_public_log 78-A FWDO_public -j FWDO_public_deny 79-A FWDO_public -j FWDO_public_allow 80COMMIT 81*mangle 82:PREROUTING_ZONES_SOURCE - [0:0] 83:PRE_public - [0:0] 84:PRE_public_deny - [0:0] 85:INPUT_direct - [0:0] 86:FORWARD_direct - [0:0] 87:POSTROUTING_direct - [0:0] 88:PREROUTING_ZONES - [0:0] 89:OUTPUT_direct - [0:0] 90:OUTPUT ACCEPT [0:0] 91:PREROUTING_direct - [0:0] 92:POSTROUTING ACCEPT [0:0] 93:PRE_public_log - [0:0] 94:PREROUTING ACCEPT [0:0] 95:FORWARD ACCEPT [0:0] 96:PRE_public_allow - [0:0] 97:INPUT ACCEPT [0:0] 98-A PREROUTING -j PREROUTING_direct 99-A PREROUTING -j PREROUTING_ZONES_SOURCE 100-A PREROUTING -j PREROUTING_ZONES 101-A INPUT -j INPUT_direct 102-A FORWARD -j FORWARD_direct 103-A OUTPUT -j OUTPUT_direct 104-A POSTROUTING -j POSTROUTING_direct 105-A PREROUTING_ZONES -i eth0 -g PRE_public 106-A PREROUTING_ZONES -g PRE_public 107-A PRE_public -j PRE_public_log 108-A PRE_public -j PRE_public_deny 109-A PRE_public -j PRE_public_allow 110COMMIT 111*nat 112:POSTROUTING_direct - [0:0] 113:PREROUTING_direct - [0:0] 114:POST_public_allow - [0:0] 115:PRE_public_allow - [0:0] 116:POSTROUTING_ZONES_SOURCE - [0:0] 117:POSTROUTING ACCEPT [0:0] 118:INPUT ACCEPT [0:0] 119:PREROUTING_ZONES_SOURCE - [0:0] 120:POST_public_log - [0:0] 121:POST_public - [0:0] 122:OUTPUT ACCEPT [0:0] 123:PRE_public_log - [0:0] 124:PRE_public - [0:0] 125:PREROUTING ACCEPT [0:0] 126:PREROUTING_ZONES - [0:0] 127:POSTROUTING_ZONES - [0:0] 128:POST_public_deny - [0:0] 129:OUTPUT_direct - [0:0] 130:PRE_public_deny - [0:0] 131-A PREROUTING -j PREROUTING_direct 132-A PREROUTING -j PREROUTING_ZONES_SOURCE 133-A PREROUTING -j PREROUTING_ZONES 134-A POSTROUTING -j POSTROUTING_direct 135-A POSTROUTING -j POSTROUTING_ZONES_SOURCE 136-A POSTROUTING -j POSTROUTING_ZONES 137-A POSTROUTING -s 10.10.0.0 -o eth0 -j MASQUERADE 138-A OUTPUT -j OUTPUT_direct 139-A PREROUTING_ZONES -i eth0 -g PRE_public 140-A PREROUTING_ZONES -g PRE_public 141-A POSTROUTING_ZONES -o eth0 -g POST_public 142-A POSTROUTING_ZONES -g POST_public 143-A PRE_public -j PRE_public_log 144-A PRE_public -j PRE_public_deny 145-A PRE_public -j PRE_public_allow 146-A POST_public -j POST_public_log 147-A POST_public -j POST_public_deny 148-A POST_public -j POST_public_allow 149COMMIT
On Sun, May 10, 2020 at 07:43:32AM -0000, Geoff Jankowski wrote:
I have two servers, both set up (bar names) identically. Both are on VPS, one uses the host dhcp setting for interfaces and dns, the other uses its own dns server and network interface settings.
I have duplicated iptables.up.rules on both server so I am reasonably confident that is not the issue. From my client Mac I can connect to both VPN servers. One works perfectly, the other does not as it stops all internet traffic with the occasional message (on whatsmyip for example) cannot resolve host.
I think my OpenVPN setup is fine and it is an underlying network issue causing the problem but I am not experienced enough to find or even understand it! So I am posting the problematic details to see if anyone can offer some guidance.
TO be clear, I did not generate these iptables. They were generated by firewalld or the server or both will some intervention by me, i.e., masquerading and I am not a firewall expert! I am happy to simplify them if it can be done but the most important item is to understand why it works on one server but not the other.
It's unclear to me where you suspect the issue is, but since you're emailing a firewalld list I'm going to presume firewalld. :)
The first thing you should do in enable --set-log-denied to where or if firewalld is dropping packets.
# firewall-cmd --set-log-denied=all
Then check dmesg after you start experiencing issues.
E.
firewalld-users@lists.fedorahosted.org