Packets are blocked with basic firewall in iptables
glubsy opened this issue · 3 comments
I've spent days trying to figure this out, and this is probably not the right place to ask for advice, but just in case someone happens to have suggestions:
When my iptables default policies are (other rules seem irrelevant)
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
I use unvpnify to avoid using a VPN and it works fine.
However, when my iptables default policies are DROP like so (I have other rules, but probably irrelevant?):
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
I can't get any packet to go out/in anymore while in unvpnify. Other interfaces (tun, eth0) still work fine.
I've tried settings rules for icmp packets for example, but it seems none are counted in iptables (no packet goes through the INPUT/OUTPUT chains and icmp specific rules).
I'm guessing I need to change something with the routing table.
Found the problem: I had to avoid dropping on the FORWARD chain.
Hope this helps someone in the future. :)
I also figured that in order to forward ports, you have to add these to the nat table:
*nat
-A PREROUTING -p tcp --dport 55011 -j DNAT --to 10.118.0.1 -m comment --comment "unvpnify port 55011 forwarding"
-A PREROUTING -p udp --dport 55011 -j DNAT --to 10.118.0.1 -m comment --comment "unvpnify port 55011 forwarding"
COMMIT
I think it should be possible to add this to user defined hooks, to make it a bit more dynamic (the subnet IP is hardcoded here, not ideal). Perhaps we could improve the script by making it easier for users to figure this out too.
Yeah, I will add some more info to documentation and example hooks. Thank you