From: readme@catastrophe.net
To: netfilter@vger.kernel.org
Subject: Masquerading clients while trying to send traffic over ipsec tunnel
Date: Tue, 24 Oct 2023 18:43:19 -0500 [thread overview]
Message-ID: <ZThWlmG0O5H88NkX@catastrophe.net> (raw)
Greetings -
I have a rapsberrypi running OpenIKED whose clients I'm both trying to
masquerade, as well as allow traffic to flow across the ipsec tunnel for
access to resources behind that tunnel. The raspi has two interfaces,
wlan0 (WAN interface with a dynamic address) and eth0 for it's clients.
When iked is running without masquerading, I can establish TCP sessions with
remote devices on the far side of the tunnel but clients behind the rpi
device obviously can't get anywhere else. When enabling masquerading with
`iptables -A POSTROUTING -o wlan0 -j MASQUERADE', all traffic from LAN
clients work over wlan0, but the ipsec traffic drops (logs below).
Traffic originating from the far end of the tunnel (10.88.0.0/22) to
eth0 on the raspi (10.88.12.1) works both with, and without, masquerading
enabled.
My question is: at what stage do I need an entry to send traffic from
both the raspi device, and it's clients, over the tunnel?
Many thanks in advance for any assistance.
iptables output of existing policies
------------------------------------
raspi# iptables-save
# Generated by iptables-save v1.8.9 (nf_tables) on Tue Oct 24 17:56:29 2023
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.88.12.0/24 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 203.0.113.92/32 -i wlan0 -p esp -j ACCEPT
-A INPUT -s 203.0.113.92/32 -i wlan0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -s 203.0.113.92/32 -i wlan0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID Input: "
-A INPUT -m state --state INVALID -j DROP
-A INPUT -j LOG --log-prefix "filtered on INPUT "
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID Forward: "
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -j LOG --log-prefix "filtered on FORWARD "
-A FORWARD -s 10.88.0.0/22 -i wlan0 -j ACCEPT
-A FORWARD -d 10.88.0.0/22 -o wlan0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 10.88.12.0/24 -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 203.0.113.92/32 -o wlan0 -p esp -j ACCEPT
-A OUTPUT -d 203.0.113.92/32 -o wlan0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -d 203.0.113.92/32 -o wlan0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID Output: "
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -j LOG --log-prefix "filtered on OUTPUT "
COMMIT
# Completed on Tue Oct 24 17:56:29 2023
# Generated by iptables-save v1.8.9 (nf_tables) on Tue Oct 24 17:56:29 2023
*nat
:PREROUTING ACCEPT [190:39368]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [20:1514]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 24 17:56:29 2023
Network interfaces
------------------
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.88.12.1 netmask 255.255.255.128 broadcast 10.88.12.127
ether b8:27:eb:AA:AA:AA txqueuelen 1000 (Ethernet)
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.88.87.244 netmask 255.255.255.0 broadcast 10.88.87.255
ether b8:27:eb:BB:BB:BB txqueuelen 1000 (Ethernet)
sysctl entries
--------------
net.ipv4.ip_forward=1
net.ipv4.conf.all.log_martians = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.eth0.route_localnet=1
net.ipv4.conf.wlan0.route_localnet=1
Logs generated when trying to ping from 10.88.12.33 to 10.88.2.1
----------------------------------------------------------------
Oct 24 17:53:17 raspi kernel: [ 2378.215277] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:7c:14:00:00:3f:01:dc:c3 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=31764 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=53
Oct 24 17:53:18 raspi kernel: [ 2379.215437] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:0d:70:00:00:3f:01:4b:68 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=3440 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=54
Oct 24 17:53:19 raspi kernel: [ 2380.216018] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:12:01:00:00:3f:01:46:d7 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=4609 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=55
Oct 24 17:53:20 raspi kernel: [ 2381.221037] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:20:f6:00:00:3f:01:37:e2 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=8438 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=56
Oct 24 17:53:21 raspi kernel: [ 2382.224893] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:69:3f:00:00:3f:01:ef:98 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=26943 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=57
Oct 24 17:53:22 raspi kernel: [ 2383.229580] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:93:4e:00:00:3f:01:c5:89 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=37710 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=58
Oct 24 17:53:23 raspi kernel: [ 2384.206943] filtered on OUTPUT IN= OUT=wlan0 SRC=172.20.10.7 DST=193.187.181.6 LEN=76 TOS=0x18 PREC=0xA0 TTL=64 ID=58576 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Oct 24 17:53:23 raspi kernel: [ 2384.231952] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:ed:bb:00:00:3f:01:6b:1c SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=60859 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=59
Oct 24 17:53:24 raspi kernel: [ 2385.236071] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:f5:56:00:00:3f:01:63:81 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=62806 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=60
Oct 24 17:53:25 raspi kernel: [ 2386.239202] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:68:27:00:00:3f:01:f0:b0 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=26663 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=61
^C
OpenIKED Security Associations
------------------------------
raspi# ikectl show sa
iked_sas: 0x521cd0 rspi 0xfc372dd59a6a7135 ispi 0xe807599ca44293b8 10.88.87.244:500->203.0.113.92:500<FQDN/openbsd-server.example.com>[] ESTABLISHED i nexti (nil) pol 0x522dc0
sa_childsas: 0x544fa8 ESP 0x25dbb484 out 10.88.87.244:500 -> 203.0.113.92:500 (L) B=(nil) P=0x545d10 @0x521cd0
sa_childsas: 0x545d10 ESP 0xa8c1ee0a in 203.0.113.92:500 -> 10.88.87.244:500 (LA) B=(nil) P=0x544fa8 @0x521cd0
sa_flows: 0x54a0c8 ESP out 10.88.0.0/22 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
sa_flows: 0x549ce8 ESP out 10.88.12.0/25 -> 10.88.0.0/22 [0]@-1 (L) @0x521cd0
sa_flows: 0x549ed8 ESP in 10.88.0.0/22 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
sa_flows: 0x54a698 ESP out 10.88.0.0/22 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
sa_flows: 0x54a2b8 ESP out 10.88.12.128/25 -> 10.88.0.0/22 [0]@-1 (L) @0x521cd0
sa_flows: 0x54a4a8 ESP in 10.88.0.0/22 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
sa_flows: 0x54ad68 ESP out 203.0.113.92/32 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
sa_flows: 0x54a888 ESP out 10.88.12.0/25 -> 203.0.113.92/32 [0]@-1 (L) @0x521cd0
sa_flows: 0x54aa78 ESP in 203.0.113.92/32 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
sa_flows: 0x54b338 ESP out 203.0.113.92/32 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
sa_flows: 0x54af58 ESP out 10.88.12.128/25 -> 203.0.113.92/32 [0]@-1 (L) @0x521cd0
sa_flows: 0x54b148 ESP in 203.0.113.92/32 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
iked_activesas: 0x544fa8 ESP 0x25dbb484 out 10.88.87.244:500 -> 203.0.113.92:500 (L) B=(nil) P=0x545d10 @0x521cd0
iked_activesas: 0x545d10 ESP 0xa8c1ee0a in 203.0.113.92:500 -> 10.88.87.244:500 (LA) B=(nil) P=0x544fa8 @0x521cd0
iked_flows: 0x549ed8 ESP in 10.88.0.0/22 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x54aa78 ESP in 203.0.113.92/32 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x54a4a8 ESP in 10.88.0.0/22 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x54b148 ESP in 203.0.113.92/32 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x549ce8 ESP out 10.88.12.0/25 -> 10.88.0.0/22 [0]@-1 (L) @0x521cd0
iked_flows: 0x54a2b8 ESP out 10.88.12.128/25 -> 10.88.0.0/22 [0]@-1 (L) @0x521cd0
iked_flows: 0x54a888 ESP out 10.88.12.0/25 -> 203.0.113.92/32 [0]@-1 (L) @0x521cd0
iked_flows: 0x54af58 ESP out 10.88.12.128/25 -> 203.0.113.92/32 [0]@-1 (L) @0x521cd0
iked_flows: 0x54a0c8 ESP out 10.88.0.0/22 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x54ad68 ESP out 203.0.113.92/32 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x54a698 ESP out 10.88.0.0/22 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x54b338 ESP out 203.0.113.92/32 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
iked_dstid_sas: 0x521cd0 rspi 0xfc372dd59a6a7135 ispi 0xe807599ca44293b8 10.88.87.244:500->203.0.113.92:500<FQDN/openbsd-server.example.com>[] ESTABLISHED i nexti (nil) pol 0x522dc0
reply other threads:[~2023-10-24 23:50 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZThWlmG0O5H88NkX@catastrophe.net \
--to=readme@catastrophe.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).