tinc - Oct 2016 - Can't Route LAN Traffic Behind Tinc Network

Thanks Keith.  Here's the output:

     root at ubuntu2:~# iptables -vnL FORWARD
     Chain FORWARD (policy ACCEPT 745 packets, 47680 bytes)
      pkts bytes target     prot opt in     out     source              
destination
      6299  416K ufw-before-logging-forward  all  --  *      *       0.0.0.0/0  
0.0.0.0/0
      6299  416K ufw-before-forward  all  --  *      *       0.0.0.0/0          
0.0.0.0/0
      6299  416K ufw-after-forward  all  --  *      *       0.0.0.0/0           
0.0.0.0/0
      6299  416K ufw-after-logging-forward  all  --  *      *       0.0.0.0/0   
0.0.0.0/0
      6299  416K ufw-reject-forward  all  --  *      *       0.0.0.0/0          
0.0.0.0/0

What's interesting is when I watch this command I see the packet count
increasing as I run MTR on the remote node, indicating to me that the packets
are arriving and hitting the correct chain, but not making it out or going out
the wrong interface......hmmm.  As you can tell I use UFW so here's the
output of "ufw status numbered":

     root at ubuntu2:~# ufw status numbered
     Status: active

          To                         Action      From
          --                         ------      ----
     [ 1] 161                        ALLOW IN    Anywhere
     [ 2] 22                         ALLOW IN    Anywhere
     [ 3] 1194                       ALLOW IN    Anywhere
     [ 4] 655                        ALLOW IN    Anywhere
     [ 5] DNS                        ALLOW IN    Anywhere



Very Respectfully,

Kismet Agbasi

-----Original Message-----
From: Keith [mailto:keith at rhizomatica.org] 
Sent: Thursday, October 6, 2016 10:14 AM
To: tinc at tinc-vpn.org; kagbasi at centraltruck.net
Subject: Re: Can't Route LAN Traffic Behind Tinc Network


On 06/10/2016 15:48, Kismet Agbasi wrote:
>> Did you remember to activate kernel ip forwarding?
>> i.e. echo 1 > /proc/sys/net/ipv4/ip_forward ?
> I actually forgot to do this, but I have enabled it now in
/etc/systctl.conf and can confirm now after a reboot that it's enabled. 
Unfortunately, still can't ping the node on the LAN.
OK , let's just do one other simple thing before we continue, could you post
the output of iptables -vnL FORWARD as long as it doesn't reveal anything
you would prefer not to be public.

Thanks!

On 06/10/2016 16:33, Kismet Agbasi wrote:
> Thanks Keith.  Here's the output:
OK. I'd like to say that I recognize this is now off topic for the tinc
list, as it really is about basic routing and firewalls and has little
if anything to do with tinc at this point. However, it's a low volume
list, so unless anyone complains, lets thrash it out here.

> wrong interface......hmmm.  As you can tell I use UFW so here's the
output of "ufw status numbered":
>
>      root at ubuntu2:~# ufw status numbered
>      Status: active
I'm actually unfamiliar with ufw, as I am with most of the plethora of
iptables-helpers out there.
I could ask you to post a list of all tools and chain, (iptables -vnL)
but can we just do something simple first as a test?

Can you disable your ufw and then run iptables -F FORWARD (just to be
sure) and then test your tinc<->LAN connectivity?
your default FORWARD POLICY is ACCEPT so this quick check should let us
know if the firewall rules are getting in the way.

I guess you should quicky re-enable your ufw rules then, so as not to
remain unprotected. You have a public IP on this box, I understand.
K/

Thanks again Keith.  I disabled UFW and flushed iptables completely, but same
result.  Pings from the external node are reaching the internal node on the
tinc0 interface but nothing happens after that.  Now that I'm thinking of
it, I did some masquerading in order to get OpenVPN to work on another box, I
wonder if that would be applicable here?



Very Respectfully,

Kismet Agbasi

-----Original Message-----
From: Keith [mailto:keith at rhizomatica.org] 
Sent: Thursday, October 6, 2016 10:47 AM
To: kagbasi at centraltruck.net; tinc at tinc-vpn.org
Subject: Re: Can't Route LAN Traffic Behind Tinc Network



On 06/10/2016 16:33, Kismet Agbasi wrote:
> Thanks Keith.  Here's the output:
OK. I'd like to say that I recognize this is now off topic for the tinc
list, as it really is about basic routing and firewalls and has little if
anything to do with tinc at this point. However, it's a low volume list, so
unless anyone complains, lets thrash it out here.

> wrong interface......hmmm.  As you can tell I use UFW so here's the
output of "ufw status numbered":
>
>      root at ubuntu2:~# ufw status numbered
>      Status: active
I'm actually unfamiliar with ufw, as I am with most of the plethora of
iptables-helpers out there.
I could ask you to post a list of all tools and chain, (iptables -vnL) but can
we just do something simple first as a test?

Can you disable your ufw and then run iptables -F FORWARD (just to be
sure) and then test your tinc<->LAN connectivity?
your default FORWARD POLICY is ACCEPT so this quick check should let us know if
the firewall rules are getting in the way.

I guess you should quicky re-enable your ufw rules then, so as not to remain
unprotected. You have a public IP on this box, I understand.
K/