No access to my auto-hosted sites since VPS upgrade #3868
Comments
KoulEl
changed the title
|
Follow https://github.com/Ysurac/openmptcprouter/wiki/Port-forwarding#debug and give me result. |
|
Thanks, I cannot (or don't know how to) access the VPS, I'll ask Milkywan for help and will come back to you. |
|
In fact just the tcpdump part on the router will tell if firewall config work or not |
|
Here are the results: root@OpenMPTCProuter:~# tcpdump -i tun0 port 80 root@OpenMPTCProuter:~# tcpdump -i tun0 port 443 |
|
When you tried to reach website ? |
|
Here it is : root@OpenMPTCProuter:~# uci show firewall |
|
And what Milkywan sent me (it seems ok to me): cat /etc/shorewall/rules Shorewall version 4.0 - Sample Rules File for two-interface configuration.Copyright (C) 2006-2014,2007 by the Shorewall TeamThis library is free software; you can redistribute it and/ormodify it under the terms of the GNU Lesser General PublicLicense as published by the Free Software Foundation; eitherversion 2.1 of the License, or (at your option) any later version.See the file README.txt for further details.#------------------------------------------------------------------------------ For information about entries in this file, type "man shorewall-rules"###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER PORT PORT(S) DEST LIMIT GROUP?SECTION ALL Don't allow connection pickup from the netInvalid(DROP) net all tcp Accept DNS connections from the firewall to the networkDNS(ACCEPT) $FW net Allow Ping from/to the VPNPing(ACCEPT) vpn $FW Allow Ping from the firewall to the networkPing(ACCEPT) $FW net Drop Ping from the "bad" net zone.. and prevent your log from being flooded..#Ping(DROP) net $FW Accept connection from port > 65000 for shadowsocks and glorytun on the firewallACCEPT net $FW tcp 65000-65535 Accept connection from SSH to the firewallACCEPT net $FW tcp 65222 DHCP forward to the VPN from the firewallDHCPfwd(ACCEPT) $FW vpn Redirect all port from 1 to 64999 to the VPN client from the network#DNAT net vpn:$OMR_ADDR tcp 1-64999 cat /etc/shorewall/params.vpn VPS_ADDR=10.255.252.1 |
|
Can you try, if you have access on VPS, to do a Edit: In my test (after using the good IP...) it's working when SNAT rules are also set for web server. |
|
I will ask Milkywan if they can do this for me since I have no access to the VPS, it is fully managed by them. On my side, nothing has been changed on the router. It stopped working after the VPS update (if there's no solution, I'll ask Milkywan to downgrade to the former one in order to get access to my sites again). |
|
What is the result of |
|
Here it is : root@OpenMPTCProuter:~# ip r |
|
And |
|
An here it is (edited to insert blank line for easy reading): root@OpenMPTCProuter:~# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 2: ip6tnl0@NONE: mtu 1452 qdisc noop state DOWN group default qlen 1000 3: sit0@NONE: mtu 1480 qdisc noop state DOWN group default qlen 1000 4: gre0@NONE: mtu 1476 qdisc noop state DOWN group default qlen 1000 5: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000 6: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000 7: ip6gre0@NONE: mtu 1448 qdisc noop state DOWN group default qlen 1000 8: teql0: mtu 1500 qdisc noop state DOWN group default qlen 100 9: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 10: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 11: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 13: 6in4-omr6in4@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000 26: ifb4eth1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32 29: ifb4eth2: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32 31: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 |
|
VPN is now on "10.255.252.3", don't know if VPS side was updated. I will make some tests. |
|
Here are the results from the VPS (thanks Milkywan): Le ping ne passe pas ping 10.255.252.6 PING 10.255.252.6 (10.255.252.6) 56(84) bytes of data. ^C --- 10.255.252.6 ping statistics --- 16 packets transmitted, 0 received, 100% packet loss, time 15355ms iptables-save Generated by iptables-save v1.8.9 (nf_tables) on Mon Mar 24 20:06:26 2025*mangle :PREROUTING ACCEPT [97659619:54649998883] :INPUT ACCEPT [76730665:45965484733] :FORWARD ACCEPT [20779327:8662818063] :OUTPUT ACCEPT [74380277:80920123570] :POSTROUTING ACCEPT [95159603:89582941589] :tcfor - [0:0] :tcin - [0:0] :tcout - [0:0] :tcpost - [0:0] :tcpre - [0:0] -A PREROUTING -j tcpre -A INPUT -j tcin -A FORWARD -j MARK --set-xmark 0x0/0xff -A FORWARD -j tcfor -A OUTPUT -j tcout -A POSTROUTING -j tcpost COMMIT Completed on Mon Mar 24 20:06:26 2025Generated by iptables-save v1.8.9 (nf_tables) on Mon Mar 24 20:06:26 2025*raw :PREROUTING ACCEPT [97659619:54649998883] :OUTPUT ACCEPT [74380277:80920123570] -A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda -A PREROUTING -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper ftp -A PREROUTING -p udp -m udp --dport 1719 -j CT --helper RAS -A PREROUTING -p tcp -m tcp --dport 1720 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper Q.931 -A PREROUTING -p tcp -m tcp --dport 6667 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper irc -A PREROUTING -p udp -m udp --dport 137 -j CT --helper netbios-ns -A PREROUTING -p tcp -m tcp --dport 1723 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper pptp -A PREROUTING -p tcp -m tcp --dport 6566 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper sane -A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip -A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp -A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp -A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda -A OUTPUT -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper ftp -A OUTPUT -p udp -m udp --dport 1719 -j CT --helper RAS -A OUTPUT -p tcp -m tcp --dport 1720 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper Q.931 -A OUTPUT -p tcp -m tcp --dport 6667 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper irc -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns -A OUTPUT -p tcp -m tcp --dport 1723 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper pptp -A OUTPUT -p tcp -m tcp --dport 6566 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper sane -A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip -A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp -A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp COMMIT Completed on Mon Mar 24 20:06:26 2025Generated by iptables-save v1.8.9 (nf_tables) on Mon Mar 24 20:06:26 2025*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :dsvpn+_fwd - [0:0] :dsvpn+_in - [0:0] :dsvpn+_out - [0:0] :dynamic - [0:0] :fw-net - [0:0] :fw-vpn - [0:0] :fw-vpncl - [0:0] :gre-user+_fwd - [0:0] :gre-user+_in - [0:0] :gre-user+_out - [0:0] :gt-tun+_fwd - [0:0] :gt-tun+_in - [0:0] :gt-tun+_out - [0:0] :gt-udp-tun+_fwd - [0:0] :gt-udp-tun+_in - [0:0] :gt-udp-tun+_out - [0:0] :logdrop - [0:0] :logflags - [0:0] :logreject - [0:0] :mlvpn+_fwd - [0:0] :mlvpn+_in - [0:0] :mlvpn+_out - [0:0] :net-fw - [0:0] :net-vpn - [0:0] :net-vpncl - [0:0] :net_frwd - [0:0] :omr-bonding_fwd - [0:0] :omr-bonding_in - [0:0] :omr-bonding_out - [0:0] :reject - [0:0] :sha-lh-09fd6f0194f6921505d9 - [0:0] :sha-rh-ba23dbe2c0902cd72596 - [0:0] :shorewall - [0:0] :smurflog - [0:0] :smurfs - [0:0] :tcpflags - [0:0] :tun+_fwd - [0:0] :tun+_in - [0:0] :tun+_out - [0:0] :vpn-fw - [0:0] :vpn-net - [0:0] :vpn-vpn - [0:0] :vpn-vpncl - [0:0] :vpn_frwd - [0:0] :vpncl-fw - [0:0] :vpncl-net - [0:0] :vpncl-vpn - [0:0] :vpncl_frwd - [0:0] :wg+_fwd - [0:0] :wg+_in - [0:0] :wg+_out - [0:0] -A INPUT -i eth0 -j net-fw -A INPUT -i gt-tun+ -j gt-tun+_in -A INPUT -i tun+ -j tun+_in -A INPUT -i mlvpn+ -j mlvpn+_in -A INPUT -i dsvpn+ -j dsvpn+_in -A INPUT -i gre-user+ -j gre-user+_in -A INPUT -i omr-bonding -j omr-bonding_in -A INPUT -i gt-udp-tun+ -j gt-udp-tun+_in -A INPUT -i wg+ -j wg+_in -A INPUT -i client-wg+ -j vpncl-fw -A INPUT -i lo -j ACCEPT -A INPUT -m addrtype --dst-type BROADCAST -j DROP -A INPUT -m addrtype --dst-type ANYCAST -j DROP -A INPUT -m addrtype --dst-type MULTICAST -j DROP -A INPUT -g reject -A FORWARD -i eth0 -j net_frwd -A FORWARD -i gt-tun+ -j gt-tun+_fwd -A FORWARD -i tun+ -j tun+_fwd -A FORWARD -i mlvpn+ -j mlvpn+_fwd -A FORWARD -i dsvpn+ -j dsvpn+_fwd -A FORWARD -i gre-user+ -j gre-user+_fwd -A FORWARD -i omr-bonding -j omr-bonding_fwd -A FORWARD -i gt-udp-tun+ -j gt-udp-tun+_fwd -A FORWARD -i wg+ -j wg+_fwd -A FORWARD -i client-wg+ -j vpncl_frwd -A FORWARD -m addrtype --dst-type BROADCAST -j DROP -A FORWARD -m addrtype --dst-type ANYCAST -j DROP -A FORWARD -m addrtype --dst-type MULTICAST -j DROP -A FORWARD -g reject -A OUTPUT -o eth0 -j fw-net -A OUTPUT -o gt-tun+ -j gt-tun+_out -A OUTPUT -o tun+ -j tun+_out -A OUTPUT -o mlvpn+ -j mlvpn+_out -A OUTPUT -o dsvpn+ -j dsvpn+_out -A OUTPUT -o gre-user+ -j gre-user+_out -A OUTPUT -o omr-bonding -j omr-bonding_out -A OUTPUT -o gt-udp-tun+ -j gt-udp-tun+_out -A OUTPUT -o wg+ -j wg+_out -A OUTPUT -o client-wg+ -j fw-vpncl -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m addrtype --dst-type BROADCAST -j DROP -A OUTPUT -m addrtype --dst-type ANYCAST -j DROP -A OUTPUT -m addrtype --dst-type MULTICAST -j DROP -A OUTPUT -g reject -A dsvpn+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A dsvpn+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A dsvpn+_fwd -p tcp -j tcpflags -A dsvpn+_fwd -j vpn_frwd -A dsvpn+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A dsvpn+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A dsvpn+_in -p tcp -j tcpflags -A dsvpn+_in -j vpn-fw -A dsvpn+_out -j fw-vpn -A fw-net -p udp -m udp --dport 67:68 -j ACCEPT -A fw-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A fw-net -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT -A fw-net -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT -A fw-net -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT -A fw-net -j ACCEPT -A fw-vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A fw-vpn -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT -A fw-vpn -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment DHCPfwd -j ACCEPT -A fw-vpn -j ACCEPT -A fw-vpncl -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A fw-vpncl -m addrtype --dst-type BROADCAST -j DROP -A fw-vpncl -m addrtype --dst-type ANYCAST -j DROP -A fw-vpncl -m addrtype --dst-type MULTICAST -j DROP -A fw-vpncl -g reject -A gre-user+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A gre-user+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A gre-user+_fwd -p tcp -j tcpflags -A gre-user+_fwd -j vpn_frwd -A gre-user+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A gre-user+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A gre-user+_in -p tcp -j tcpflags -A gre-user+_in -j vpn-fw -A gre-user+_out -j fw-vpn -A gt-tun+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A gt-tun+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A gt-tun+_fwd -p tcp -j tcpflags -A gt-tun+_fwd -j vpn_frwd -A gt-tun+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A gt-tun+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A gt-tun+_in -p tcp -j tcpflags -A gt-tun+_in -j vpn-fw -A gt-tun+_out -j fw-vpn -A gt-udp-tun+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A gt-udp-tun+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A gt-udp-tun+_fwd -p tcp -j tcpflags -A gt-udp-tun+_fwd -j vpn_frwd -A gt-udp-tun+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A gt-udp-tun+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A gt-udp-tun+_in -p tcp -j tcpflags -A gt-udp-tun+_in -j vpn-fw -A gt-udp-tun+_out -j fw-vpn -A logdrop -j DROP -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options -A logflags -j DROP -A logreject -j reject -A mlvpn+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A mlvpn+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A mlvpn+_fwd -p tcp -j tcpflags -A mlvpn+_fwd -j vpn_frwd -A mlvpn+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A mlvpn+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A mlvpn+_in -p tcp -j tcpflags -A mlvpn+_in -j vpn-fw -A mlvpn+_out -j fw-vpn -A net-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A net-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A net-fw -p udp -m udp --dport 67:68 -j ACCEPT -A net-fw -p tcp -j tcpflags -A net-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A net-fw -p tcp -m conntrack --ctstate INVALID -j DROP -A net-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT -A net-fw -p tcp -m tcp --dport 65000:65535 -j ACCEPT -A net-fw -p udp -m udp --dport 65000:65535 -j ACCEPT -A net-fw -p tcp -m tcp --dport 65222 -j ACCEPT -A net-fw -p tcp -m tcp --dport 65301 -j ACCEPT -A net-fw -p udp -m udp --dport 65311 -j ACCEPT -A net-fw -m addrtype --dst-type BROADCAST -j DROP -A net-fw -m addrtype --dst-type ANYCAST -j DROP -A net-fw -m addrtype --dst-type MULTICAST -j DROP -A net-fw -j DROP -A net-vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A net-vpn -p tcp -m conntrack --ctstate INVALID -j DROP -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 25 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 21 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p udp -m udp --dport 20 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 443 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 4433 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 4443 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p udp -m udp --dport 10000 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 2222 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 4435 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 4455 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 4466 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 4436 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 110 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 143 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 587 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 993 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 995 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 20 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 10090:10100 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 22 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 8080 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 63241 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 22027 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 22028 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 22029 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 4445:4446 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 16881 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p udp -m udp --dport 16881 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 22026 -j ACCEPT -A net-vpn -d 10.255.252.6/32 -p tcp -m tcp --dport 80 -j ACCEPT -A net-vpn -m addrtype --dst-type BROADCAST -j DROP -A net-vpn -m addrtype --dst-type ANYCAST -j DROP -A net-vpn -m addrtype --dst-type MULTICAST -j DROP -A net-vpn -j DROP -A net-vpncl -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A net-vpncl -p tcp -m conntrack --ctstate INVALID -j DROP -A net-vpncl -m addrtype --dst-type BROADCAST -j DROP -A net-vpncl -m addrtype --dst-type ANYCAST -j DROP -A net-vpncl -m addrtype --dst-type MULTICAST -j DROP -A net-vpncl -j DROP -A net_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A net_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A net_frwd -p tcp -j tcpflags -A net_frwd -o gt-tun+ -j net-vpn -A net_frwd -o tun+ -j net-vpn -A net_frwd -o mlvpn+ -j net-vpn -A net_frwd -o dsvpn+ -j net-vpn -A net_frwd -o gre-user+ -j net-vpn -A net_frwd -o omr-bonding -j net-vpn -A net_frwd -o gt-udp-tun+ -j net-vpn -A net_frwd -o wg+ -j net-vpn -A net_frwd -o client-wg+ -j net-vpncl -A omr-bonding_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A omr-bonding_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A omr-bonding_fwd -p tcp -j tcpflags -A omr-bonding_fwd -j vpn_frwd -A omr-bonding_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A omr-bonding_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A omr-bonding_in -p tcp -j tcpflags -A omr-bonding_in -j vpn-fw -A omr-bonding_out -j fw-vpn -A reject -m addrtype --src-type BROADCAST -j DROP -A reject -s 224.0.0.0/4 -j DROP -A reject -p igmp -j DROP -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -p udp -j REJECT --reject-with icmp-port-unreachable -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable -A reject -j REJECT --reject-with icmp-host-prohibited -A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource -A smurflog -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurflog -j DROP -A smurfs -s 0.0.0.0/32 -j RETURN -A smurfs -m addrtype --src-type BROADCAST -g smurflog -A smurfs -s 224.0.0.0/4 -g smurflog -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags -A tun+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A tun+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A tun+_fwd -p tcp -j tcpflags -A tun+_fwd -j vpn_frwd -A tun+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A tun+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A tun+_in -p tcp -j tcpflags -A tun+_in -j vpn-fw -A tun+_out -j fw-vpn -A vpn-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A vpn-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT -A vpn-fw -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment DHCPfwd -j ACCEPT -A vpn-fw -j ACCEPT -A vpn-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A vpn-net -j ACCEPT -A vpn-vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A vpn-vpn -m addrtype --dst-type BROADCAST -j DROP -A vpn-vpn -m addrtype --dst-type ANYCAST -j DROP -A vpn-vpn -m addrtype --dst-type MULTICAST -j DROP -A vpn-vpn -j DROP -A vpn-vpncl -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A vpn-vpncl -j ACCEPT -A vpn_frwd -o eth0 -j vpn-net -A vpn_frwd -o gt-tun+ -j vpn-vpn -A vpn_frwd -o tun+ -j vpn-vpn -A vpn_frwd -o mlvpn+ -j vpn-vpn -A vpn_frwd -o dsvpn+ -j vpn-vpn -A vpn_frwd -o gre-user+ -j vpn-vpn -A vpn_frwd -o omr-bonding -j vpn-vpn -A vpn_frwd -o gt-udp-tun+ -j vpn-vpn -A vpn_frwd -o wg+ -j vpn-vpn -A vpn_frwd -o client-wg+ -j vpn-vpncl -A vpncl-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A vpncl-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A vpncl-fw -p tcp -j tcpflags -A vpncl-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A vpncl-fw -m addrtype --dst-type BROADCAST -j DROP -A vpncl-fw -m addrtype --dst-type ANYCAST -j DROP -A vpncl-fw -m addrtype --dst-type MULTICAST -j DROP -A vpncl-fw -g reject -A vpncl-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A vpncl-net -m addrtype --dst-type BROADCAST -j DROP -A vpncl-net -m addrtype --dst-type ANYCAST -j DROP -A vpncl-net -m addrtype --dst-type MULTICAST -j DROP -A vpncl-net -g reject -A vpncl-vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A vpncl-vpn -j ACCEPT -A vpncl_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A vpncl_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A vpncl_frwd -p tcp -j tcpflags -A vpncl_frwd -o eth0 -j vpncl-net -A vpncl_frwd -o gt-tun+ -j vpncl-vpn -A vpncl_frwd -o tun+ -j vpncl-vpn -A vpncl_frwd -o mlvpn+ -j vpncl-vpn -A vpncl_frwd -o dsvpn+ -j vpncl-vpn -A vpncl_frwd -o gre-user+ -j vpncl-vpn -A vpncl_frwd -o omr-bonding -j vpncl-vpn -A vpncl_frwd -o gt-udp-tun+ -j vpncl-vpn -A vpncl_frwd -o wg+ -j vpncl-vpn -A wg+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A wg+_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A wg+_fwd -p tcp -j tcpflags -A wg+_fwd -j vpn_frwd -A wg+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A wg+_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A wg+_in -p tcp -j tcpflags -A wg+_in -j vpn-fw -A wg+_out -j fw-vpn COMMIT Completed on Mon Mar 24 20:06:26 2025Generated by iptables-save v1.8.9 (nf_tables) on Mon Mar 24 20:06:26 2025*nat :PREROUTING ACCEPT [716474:64517211] :INPUT ACCEPT [399815:29602668] :OUTPUT ACCEPT [214265:31683281] :POSTROUTING ACCEPT [236700:33488651] :eth0_masq - [0:0] :net_dnat - [0:0] -A PREROUTING -i eth0 -j net_dnat -A POSTROUTING -o eth0 -j eth0_masq -A eth0_masq -s 10.255.247.0/24 -j SNAT --to-source 45.13.104.49 -A eth0_masq -s 10.255.248.0/24 -j SNAT --to-source 45.13.104.49 -A eth0_masq -s 10.255.250.0/24 -j SNAT --to-source 45.13.104.49 -A eth0_masq -s 10.255.251.0/24 -j SNAT --to-source 45.13.104.49 -A eth0_masq -s 10.255.252.0/24 -j SNAT --to-source 45.13.104.49 -A eth0_masq -s 10.255.253.0/24 -j SNAT --to-source 45.13.104.49 -A eth0_masq -s 10.255.254.0/24 -j SNAT --to-source 45.13.104.49 -A eth0_masq -s 10.255.255.0/24 -j SNAT --to-source 45.13.104.49 -A eth0_masq -s 169.254.0.0/16 -j SNAT --to-source 45.13.104.49 -A eth0_masq -s 172.16.0.0/12 -j SNAT --to-source 45.13.104.49 -A eth0_masq -s 192.168.0.0/16 -j SNAT --to-source 45.13.104.49 -A net_dnat -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p udp -m udp --dport 20 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 4433 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 4443 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p udp -m udp --dport 10000 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 2222 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 4435 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 4455 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 4466 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 4436 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 143 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 587 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 993 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 995 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 20 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 10090:10100 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 63241 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 22027 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 22028 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 22029 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 4445:4446 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 16881 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p udp -m udp --dport 16881 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 22026 -j DNAT --to-destination 10.255.252.6 -A net_dnat -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.255.252.6 COMMIT Completed on Mon Mar 24 20:06:26 2025 |
|
Oui l'IP VPN côté client a changé et le VPS n'est pas à jour. J'ai fait un fix que je test avant de le mettre dans la branche develop. |
Can't access my web servers from external.
I should be able to access my web sites (eg. https://video.amiga-ng.org). I can access them from my internal network.
Current Behavior
I try to access my websites but get stuck until timeout. Nothing revelant in the System log (except this : Mar 22 09:46:36 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dscp_cs2_6 Error: Could not resolve hostname: Name has no usable address).
It used to work correctly. I even recovered my saved configuration from the server to be sure I had not changed anything. Still the same problem. Everything ik in Firewall rules and OMR-Bypass.
Possible Solution
Maybe downgrade the VPS?
Steps to Reproduce the Problem
Context (Environment)
Specifications
The text was updated successfully, but these errors were encountered: