iptables error!!

Question

iptables error!!

theralse opened this issue 4 years ago · 23 comments

I have meet the ipables error when deploy the latest qbittorrentvpn image on Q-NAP container station.

iptables: Operation not supported.
iptables: Invalid argument. Run dmesg' for more information. iptables v1.8.2 (nf_tables): unknown option "--dport" iptables v1.8.2 (nf_tables): unknown option "--sport" iptables v1.8.2 (nf_tables): unknown option "--icmp-type" Try iptables -h' or 'iptables --help' for more information.

That will expose the real IP to others.

Answer 1 · 2020-12-01T17:14:50.000Z

I am not familiar with the Docker enige on Q-NAP devices.
But as a starting troubleshooting; You are running the container privileged, right?

Answer 2 · 2020-12-01T17:31:22.000Z

Yes, "docker run --privileged".

And also used "docker exec -it container bash" to login this container.
There are no update for iptables.

Answer 3 · 2020-12-02T14:49:44.000Z

This problem was solved after change iptables to legacy ones.
ln -sf /usr/sbin/iptables-legacy /usr/sbin/iptables

But this docker is not stable, the docker will be halt after kill switch triggered.
Is there any log for more detail to debug ?

Answer 4 · 2020-12-02T15:28:13.000Z

I guess QNAP uses an old kernel that doesn't support the new iptables version, no idea why that would be exactly.
Anyhow, what I can do is add an environment variable called LEGACY_IPTABLES and whether that one is set to 1 (on) or 0 (off), it will 'replace' the original iptables with the iptables-legacy one. Would that be a fine solution?

Any changes you make to a Docker will stay. It will only 'break' if you update it or reinstall it.

Answer 5 · 2021-02-15T08:24:03.000Z

Was this implemented? I'm on QNAP and seeing the same sort of errors, and it looks like my non-VPN IP is appearing in some of the torrents.

Answer 6 · 2021-02-15T11:52:24.000Z

I can't remember for sure, but I think I did implement it as a test but did not really work how I wanted it to. Something had problems, but can't recall what it was. I can create a separate branch, later today, called 'legacy-iptables' with the changes I made back then and see how that goes.

Answer 7 · 2021-02-15T17:22:37.000Z

Cool, let me know if I can supply any logs etc that might help. The main thing I see that suggests a problem is this:

iptables: Operation not supported.
iptables: Invalid argument. Run `dmesg' for more information.
iptables: Invalid argument. Run `dmesg' for more information.
iptables v1.8.2 (nf_tables): unknown option "--dport"
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): unknown option "--dport"
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): unknown option "--sport"
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): unknown option "--icmp-type"
Try `iptables -h' or 'iptables --help' for more information.
iptables: Invalid argument. Run `dmesg' for more information.
2021-02-15 09:16:19.252839 [INFO] iptables defined as follows...

Answer 8 · 2021-02-15T20:29:40.000Z

@countstex I've added a new tag which has the following environment variable:
LEGACY_IPTABLES is you set this to true it should use the legacy iptables instead of iptables (nf_tables).
It just runs ln -sf for all the iptables related binaries.
Please try the Docker with the tag legacy_iptables like this; dyonr/qbittorrentvpn:legacy_iptables
Since I do not have a way to test this myself, please send me the errors you receive and I'll see if I can fix it😄

Answer 9 · 2021-02-15T21:42:40.000Z

Not seeing anything that looks like an error to me now, though not really sure what I am looking for! ;)
log.txt

Answer 10 · 2021-02-15T21:47:36.000Z

Log.txt also looks good to me 😄
If you IP of your client is the IP of your VPN provider it guess it's all good. 👍🏻

Does your VPN Provider also provider WireGuard configurations? If so, could you perhaps test to see if WireGuard also works without problems?

Answer 11 · 2021-02-15T21:57:57.000Z

Hmm, just had a look, seem VYPR does support wireguard, but only via their app. No .conf files available at this time :(

Answer 12 · 2021-02-21T17:03:12.000Z

Hmm, might not be totally out of the woods. I've noticed the client stops working after various periods of time, looks like the tun interface just disappears (can no longer see it as an option in the settings menu) and I have to restart the container. Not seeing anything showing up in the logs mentioning any problems though.

Answer 13 · 2021-02-21T23:52:30.000Z

It is possible that the container loses connection with your VPN connection, or coincidentally 1 ping fails while checking if the network is still reachable. If you run the container with the extra parameters --restart unless-stopped, it restarts the container automatically, only having a few seconds of downtime while it restarts.

Answer 14 · 2021-02-25T14:11:14.000Z

I have that set, however the container itself is fine, so it has not 'stopped' as far as docker is concerned, so it just sits there without the tun interface.

Answer 15 · 2021-07-11T19:43:50.000Z

@Dynor just FYI, I had to resort to dyonr/qbittorrentvpn:legacy_iptables to get it up and running on Synology DSM 7.0.

Is it your intention to add LEGACY_IPTABLES to :latest?

Answer 16 · 2021-07-28T20:09:09.000Z

@Dynor just FYI, I had to resort to dyonr/qbittorrentvpn:legacy_iptables to get it up and running on Synology DSM 7.0.

Is it your intention to add LEGACY_IPTABLES to :latest?

I am unsure, but I think the legacy might had some issues regarding ip leaks, but it was a long time ago I played around with it, so don't know.
Due my personal life I also don't have much time to work on the Docker anymore, but I'll try to make some time soon to work on it and also look at this again

Answer 17 · 2021-07-29T06:08:23.000Z

@DyonR no rush! I'll try and see if I can work out why nftables isn't working on DSM 7.

Answer 18 · 2021-08-02T16:49:32.000Z

Looking at it, the original code of LEGACY_IPTABLES still exists in the latest/master, but it is commented out. No idea why I did that😂
I'll uncomment the lines so running :latest / master will also support LEGACY_IPTABLES. I'm working on the dev branch now to play around before I make any official pushes to master/latest. I'll let you know when :latest is updated and pushed to Docker Hub.

Answer 19 · 2021-08-02T16:53:01.000Z

@DyonR thanks! I did look into why nftables on DSM 7 isn't working, and it turns out the executable is crashing on a null pointer exception. Perhaps there's a mismatch between the executable in the container and the kernel, not sure.

Answer 20 · 2021-08-02T17:04:56.000Z

It's still odd to me how this problems exist.
My own container runs fine with iptables v1.8.2 (nf_tables), while my host OS runs `iptables v1.8.5 (legacy). On the Linux kernel 5.10.28.

I also found a way easier way to revert back to iptables (legacy), just by running update-alternatives --set iptables /usr/sbin/iptables-legacy, instead of the ln linking I did now 😛

Answer 21 · 2021-08-02T18:25:25.000Z

@DyonR DSM's kernels are typically quite old (the new DSM 7 release uses kernel 4.4), so it might be related to that.

Answer 22 · 2021-08-02T18:26:49.000Z

Perhaps yeah, anyhow. The container on Docker Hub is updated with the new changes, with LEGACY_IPTABLES enabled again 😄

Answer 23 · 2021-08-02T18:27:47.000Z

Many thanks!