Iptables masquerade rule does not persist on reboot
OfficialMuffin opened this issue · 18 comments
In raising this issue I confirm that
- I have read the documentation
- I have read and understood the PiVPN General Guidelines
- I have read and understood the PiVPN Troubleshooting Guidelines
- The issue I am reporting isn't a duplicate, see closed issues and open issues.
- I have searched for similar issues and solutions
- I can replicate the issue even after a clean OS installation
Describe the issue
When rebooted, communication between wireguard clients work but no Internet connection. When pivpn -d is used upon reboot, it asks me to add the masquerade rule again. It works!
When checking the firewall file, multiple masquerade rules have been added from previous attempts but pivpn ignores these. I have tried manually deleting all the duplicate rules too.
Expected behavior
Upon reboot all masquerading rules from previous pivpn - d
command should be detected and shouldn't have to add another line.
Please describe the steps to replicate the issue
- Install PiVPN using bash script
- Add client
- Reboot Server
- Do
pivpn - d
. Script should ask to add masquerade rule to iptables - Reboot again
- Run
pivpn-d
again and script should ask again to add masquerade rule
Have you taken any steps towards solving your issue?
None, I'm not sure how to solve this issue.
Screenshots
No response
Where did you run pivpn?
Raspberry Pi 4 8GB
Please provide your output from uname -a
Linux pihole 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
Details about Operative System
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Installation
No response
Profile / Client creation
No response
Debug output
::: Generating Debug Output
:::: PiVPN debug ::::
=============================================
:::: Latest commit ::::
Branch: master
Commit: f7f81e1bf47b5f4564b6ded7a516da5fd3c2f63c
Author: 4s3ti
Date: Mon Nov 28 23:32:17 2022 +0100
Summary: fix(scripts): uninstall default option
=============================================
:::: Installation settings ::::
PLAT=Debian
OSCN=bullseye
USING_UFW=1
pivpnforceipv6route=1
IPv4dev=eth0
IPv4addr=192.168.0.25/24
IPv4gw=192.168.0.1
install_user=nick
install_home=/home/nick
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=10.6.0.1
pivpnDNS2=
pivpnHOST=REDACTED
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=10.6.0.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS="0.0.0.0/0, ::0/0"
UNATTUPG=1
INSTALLED_PACKAGES=()
=============================================
:::: Server configuration shown below ::::
[Interface]
PrivateKey = server_priv
Address = 10.6.0.1/24
MTU = 1420
ListenPort = 51820
### begin Note20 ###
[Peer]
PublicKey = Note20_pub
PresharedKey = Note20_psk
AllowedIPs = 10.6.0.2/32
### end Note20 ###
### begin Yoga6 ###
[Peer]
PublicKey = Yoga6_pub
PresharedKey = Yoga6_psk
AllowedIPs = 10.6.0.3/32
### end Yoga6 ###
### begin TabS7 ###
[Peer]
PublicKey = TabS7_pub
PresharedKey = TabS7_psk
AllowedIPs = 10.6.0.4/32
### end TabS7 ###
### begin Office ###
[Peer]
PublicKey = Office_pub
PresharedKey = Office_psk
AllowedIPs = 10.6.0.5/32
### end Office ###
### begin Nextcloud ###
[Peer]
PublicKey = Nextcloud_pub
PresharedKey = Nextcloud_psk
AllowedIPs = 10.6.0.6/32
### end Nextcloud ###
=============================================
:::: Client configuration shown below ::::
[Interface]
PrivateKey = Note20_priv
Address = 10.6.0.2/24
DNS = 10.6.0.1
[Peer]
PublicKey = server_pub
PresharedKey = Note20_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0
=============================================
:::: Recursive list of files in ::::
:::: /etc/wireguard shown below ::::
/etc/wireguard:
configs
keys
wg0.conf
/etc/wireguard/configs:
clients.txt
Nextcloud.conf
Note20.conf
Office.conf
TabS7.conf
Yoga6.conf
/etc/wireguard/keys:
Nextcloud_priv
Nextcloud_psk
Nextcloud_pub
Note20_priv
Note20_psk
Note20_pub
Office_priv
Office_psk
Office_pub
server_priv
server_pub
TabS7_priv
TabS7_psk
TabS7_pub
Yoga6_priv
Yoga6_psk
Yoga6_pub
=============================================
:::: Self check ::::
:: [OK] IP forwarding is enabled
:: [OK] Ufw is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] Ufw input rule set
:: [OK] Ufw forwarding rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled
(it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://docs.pivpn.io/faq
=============================================
:::: WARNING: This script should have automatically masked sensitive ::::
:::: information, however, still make sure that PrivateKey, PublicKey ::::
:::: and PresharedKey are masked before reporting an issue. An example key ::::
:::: that you should NOT see in this log looks like this: ::::
:::: YIAoJVsdIeyvXfGGDDadHh6AxsMRymZTnnzZoAb9cxRe ::::
=============================================
:::: Debug complete ::::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.log
:::
Post the content of /etc/ufw/before.rules
.
Contents of /etc/ufw/before.rules
:
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
*nat
:POSTROUTING ACCEPT [0:0]
-I POSTROUTING -s 10.6.0.0/24 -o eth0 -j MASQUERADE -m comment --comment wireguard
-nat-rule
COMMIT
*nat
:POSTROUTING ACCEPT [0:0]
-I POSTROUTING -s 10.6.0.0/24 -o eth0 -j MASQUERADE -m comment --comment wireguard
-nat-rule
COMMIT
*nat
:POSTROUTING ACCEPT [0:0]
-I POSTROUTING -s 10.6.0.0/24 -o eth0 -j MASQUERADE -m comment --comment wireguard
-nat-rule
COMMIT
*nat
:POSTROUTING ACCEPT [0:0]
-I POSTROUTING -s 10.6.0.0/24 -o eth0 -j MASQUERADE -m comment --comment wireguard
-nat-rule
COMMIT
*nat
:POSTROUTING ACCEPT [0:0]
-I POSTROUTING -s 10.6.0.0/24 -o eth0 -j MASQUERADE -m comment --comment wireguard
-nat-rule
COMMIT
*nat
:POSTROUTING ACCEPT [0:0]
-I POSTROUTING -s 10.6.0.0/24 -o eth0 -j MASQUERADE -m comment --comment wireguard
-nat-rule
COMMIT
*nat
:POSTROUTING ACCEPT [0:0]
-I POSTROUTING -s 10.6.0.0/24 -o eth0 -j MASQUERADE -m comment --comment wireguard
-nat-rule
COMMIT
*nat
:POSTROUTING ACCEPT [0:0]
-I POSTROUTING -s 10.6.0.0/24 -o eth0 -j MASQUERADE -m comment --comment wireguard
-nat-rule
COMMIT
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
Keep just one instance of
*nat
:POSTROUTING ACCEPT [0:0]
-I POSTROUTING -s 10.6.0.0/24 -o eth0 -j MASQUERADE -m comment --comment wireguard
-nat-rule
COMMIT
Yes that is what I tried, but on reboot, wireguard doesn't forward anything until I do pivpn -d
when it asks me to add the masquerade rule but it already exists if i leave one instance there. I've even tried removing them all but still does the same thing.
Reboot and post the output of iptables -vnL -t nat
as well as iptables -vnL
, without doing pivpn -d
Here's the output of iptables -vnL -t nat
WITHOUT pivpn -d
:
Chain PREROUTING (policy ACCEPT 110 packets, 13263 bytes)
pkts bytes target prot opt in out source destination
25 2113 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 13 packets, 1109 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 123 packets, 8736 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 145 packets, 9959 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * !br-6879f9dce368 172.19.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * !br-9282df294791 172.18.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * eth0 10.85.207.0/24 0.0.0.0/0 /* wireguard-nat-rule */
0 0 MASQUERADE tcp -- * * 172.19.0.2 172.19.0.2 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:9000
0 0 MASQUERADE tcp -- * * 172.19.0.2 172.19.0.2 tcp dpt:443
0 0 MASQUERADE tcp -- * * 172.19.0.2 172.19.0.2 tcp dpt:22
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- br-6879f9dce368 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- br-9282df294791 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !br-6879f9dce368 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888 to:172.19.0.2:80
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000 to:172.17.0.2:9000
0 0 DNAT tcp -- !br-6879f9dce368 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4443 to:172.19.0.2:443
0 0 DNAT tcp -- !br-6879f9dce368 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:172.19.0.2:22
and output of iptables -vnL
:
Chain INPUT (policy DROP 53 packets, 5653 bytes)
pkts bytes target prot opt in out source destination
165 17288 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 59777
1901 731K ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
1901 731K ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
97 8925 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
53 5653 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
53 5653 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
53 5653 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
466 43331 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
466 43331 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-6879f9dce368 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-6879f9dce368 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-6879f9dce368 !br-6879f9dce368 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-6879f9dce368 br-6879f9dce368 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-9282df294791 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-9282df294791 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-9282df294791 !br-9282df294791 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-9282df294791 br-9282df294791 0.0.0.0/0 0.0.0.0/0
466 43331 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
466 43331 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 12 packets, 528 bytes)
pkts bytes target prot opt in out source destination
1251 183K ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
1251 183K ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
183 14971 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
183 14971 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
183 14971 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
183 14971 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-6879f9dce368 br-6879f9dce368 0.0.0.0/0 172.19.0.2 tcp dpt:80
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:9000
0 0 ACCEPT tcp -- !br-6879f9dce368 br-6879f9dce368 0.0.0.0/0 172.19.0.2 tcp dpt:443
0 0 ACCEPT tcp -- !br-6879f9dce368 br-6879f9dce368 0.0.0.0/0 172.19.0.2 tcp dpt:22
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-6879f9dce368 !br-6879f9dce368 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-9282df294791 !br-9282df294791 0.0.0.0/0 0.0.0.0/0
466 43331 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-6879f9dce368 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-9282df294791 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
466 43331 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
165 17288 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
4 1312 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
40 1960 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
14 1784 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
466 43331 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
151 15801 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1422 679K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
90 8432 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
90 8432 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
238 27575 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
41 4507 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
197 23068 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
153 15881 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
915 152K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
183 14971 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
14 1248 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
13 2105 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
152 19760 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
42 4543 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
44 3272 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
44 3272 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
9 540 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
162 13903 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
466 43331 ACCEPT all -- wg0 eth0 10.6.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- wg0 wg0 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
76 12620 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820
0 0 ACCEPT tcp -- wg0 * 10.6.0.0/24 0.0.0.0/0 tcp dpt:53
23 1471 ACCEPT udp -- wg0 * 10.6.0.0/24 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- wg0 * 10.6.0.0/24 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- wg0 * 10.6.0.0/24 0.0.0.0/0 udp dpt:80
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- eth0 * 192.168.0.0/24 0.0.0.0/0 udp dpt:53
0 0 tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:59777 ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
0 0 ufw-user-limit tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:59777 ctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: source mask: 255.255.255.255
0 0 ufw-user-limit-accept tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:59777
0 0 udp -- eth0 * 192.168.0.0/24 0.0.0.0/0 udp dpt:59777 ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
0 0 ufw-user-limit udp -- eth0 * 192.168.0.0/24 0.0.0.0/0 udp dpt:59777 ctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: source mask: 255.255.255.255
0 0 ufw-user-limit-accept udp -- eth0 * 192.168.0.0/24 0.0.0.0/0 udp dpt:59777
0 0 ACCEPT tcp -- wg0 * 10.6.0.0/24 0.0.0.0/0 tcp dpt:10000
0 0 ACCEPT udp -- wg0 * 10.6.0.0/24 0.0.0.0/0 udp dpt:10000
1 52 ACCEPT tcp -- wg0 * 10.6.0.0/24 0.0.0.0/0 tcp dpt:59777
Chain ufw-user-limit (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Here's the output of iptables -vnL -t nat
WITH pivpn -d
(just in case):
Chain PREROUTING (policy ACCEPT 515 packets, 37945 bytes)
pkts bytes target prot opt in out source destination
115 10792 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 32 packets, 2356 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 259 packets, 19023 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 6 packets, 409 bytes)
pkts bytes target prot opt in out source destination
11 620 MASQUERADE all -- * eth0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */
0 0 MASQUERADE all -- * eth0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */
0 0 MASQUERADE all -- * eth0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */
0 0 MASQUERADE all -- * eth0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */
0 0 MASQUERADE all -- * eth0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */
0 0 MASQUERADE all -- * eth0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */
0 0 MASQUERADE all -- * eth0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */
0 0 MASQUERADE all -- * eth0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */
0 0 MASQUERADE all -- * eth0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */
0 0 MASQUERADE all -- * eth0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * !br-6879f9dce368 172.19.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * !br-9282df294791 172.18.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * eth0 10.85.207.0/24 0.0.0.0/0 /* wireguard-nat-rule */
0 0 MASQUERADE tcp -- * * 172.19.0.2 172.19.0.2 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:9000
0 0 MASQUERADE tcp -- * * 172.19.0.2 172.19.0.2 tcp dpt:443
0 0 MASQUERADE tcp -- * * 172.19.0.2 172.19.0.2 tcp dpt:22
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- br-6879f9dce368 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- br-9282df294791 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !br-6879f9dce368 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888 to:172.19.0.2:80
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000 to:172.17.0.2:9000
0 0 DNAT tcp -- !br-6879f9dce368 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4443 to:172.19.0.2:443
0 0 DNAT tcp -- !br-6879f9dce368 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:172.19.0.2:22
and output of iptables -vnL
WITH pivpn -d
:
Chain INPUT (policy DROP 20 packets, 1786 bytes)
pkts bytes target prot opt in out source destination
953 90936 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 59777
4876 1133K ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
4876 1133K ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
257 20577 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
121 12797 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
121 12797 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
121 12797 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
1524 236K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
1524 236K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-6879f9dce368 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-6879f9dce368 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-6879f9dce368 !br-6879f9dce368 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-6879f9dce368 br-6879f9dce368 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-9282df294791 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-9282df294791 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-9282df294791 !br-9282df294791 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-9282df294791 br-9282df294791 0.0.0.0/0 0.0.0.0/0
1524 236K ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
1524 236K ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
7 320 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
7 320 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
7 320 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
7 320 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4231 988K ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
4231 988K ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
263 21236 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
263 21236 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
263 21236 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
263 21236 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-6879f9dce368 br-6879f9dce368 0.0.0.0/0 172.19.0.2 tcp dpt:80
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:9000
0 0 ACCEPT tcp -- !br-6879f9dce368 br-6879f9dce368 0.0.0.0/0 172.19.0.2 tcp dpt:443
0 0 ACCEPT tcp -- !br-6879f9dce368 br-6879f9dce368 0.0.0.0/0 172.19.0.2 tcp dpt:22
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-6879f9dce368 !br-6879f9dce368 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-9282df294791 !br-9282df294791 0.0.0.0/0 0.0.0.0/0
1524 236K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-6879f9dce368 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-9282df294791 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
1524 236K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
953 90936 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
50 2450 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
13 1125 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
533 161K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
102 5650 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
38 4408 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
844 138K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
72 4896 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
72 4896 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
84 5323 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
6 534 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
78 4789 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
38 4408 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
949 299K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
48 3725 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
15 826 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
10 715 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
27 2303 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
7 570 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
50 2450 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
50 2450 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
48 3725 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
102 5650 ACCEPT all -- wg0 eth0 10.6.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- wg0 wg0 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- eth0 * 192.168.0.0/24 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- wg0 * 10.6.0.0/24 0.0.0.0/0 tcp dpt:59777
0 0 ACCEPT tcp -- wg0 * 10.6.0.0/24 0.0.0.0/0 tcp dpt:53
9 661 ACCEPT udp -- wg0 * 10.6.0.0/24 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- wg0 * 10.6.0.0/24 0.0.0.0/0 tcp dpt:8085
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
I had the same problem, try this link, it helped me with wireguard and openvpn,
https://www.cyberciti.biz/faq/how-to-save-iptables-firewall-rules-permanently-on-linux/
Apologies, this is an issue with UFW it seems. The place where PiVPN places the NAT rule for masquerading is /etc/ufw/before.rules
. However, when I try to restart the UFW service, the rule is still there. When rebooting my Pi, the rule goes missing and I have to run pivpn -d
again and add the masquerade rule when asked.
For reference, the rule that goes missing is:
*nat
:POSTROUTING ACCEPT [0:0]
-I POSTROUTING -s 10.6.0.0/24 -o eth0 -j MASQUERADE -m comment --comment wireguard-na>
COMMIT
I have tried the above and will test when I get back home. Also, similar issue here if it helps:
https://askubuntu.com/questions/856108/nat-rules-in-etc-ufw-before-rules-not-applied-on-reboot
I had the same problem, try this link, it helped me with wireguard and openvpn, https://www.cyberciti.biz/faq/how-to-save-iptables-firewall-rules-permanently-on-linux/
I can confirm after a few reboots that this fixed the issue! Thanks so much @reza576
Tried pivpn -d
again and it recognises that the masquerade rule is already set.
Closing
I keep having the same error.
Every time i restart it loses , the "MASQUERADE , FORWARD" etc.
How are we suppose ,to make it run or stick with it each time ?
I had the same problem, try this link, it helped me with wireguard and openvpn, https://www.cyberciti.biz/faq/how-to-save-iptables-firewall-rules-permanently-on-linux/
I can confirm after a few reboots that this fixed the issue! Thanks so much @reza576 Tried
pivpn -d
again and it recognises that the masquerade rule is already set.Closing
@Grandclaw If youre on Debian/Ubuntu, just run sudo /sbin/iptables-save > /etc/iptables/rules.v4
after you run pivpn -d
to add the necessary rules. Then reboot. It should fix the issue 😄
@Grandclaw If youre on Debian/Ubuntu, just run
sudo /sbin/iptables-save > /etc/iptables/rules.v4
after you runpivpn -d
to add the necessary rules. Then reboot. It should fix the issue 😄
First of all thanks for the heads up man ! Didn't expect to get help , but i was suprised.
On the other hand ,what do you mean necessary rules ?
Yes, i 'm on Ubuntu 20.04 , so as i understand ,please correct me if i am wrong... after i run the pivpn -d , then i will run the command you said, so it will automatically correct itself, to my next reboot ? Did i get it correctly?
When you run pivpn -d
just confirm adding the missing rules that pivpn finds. So, do this first then run sudo /sbin/iptables-save > /etc/iptables/rules.v4
. This should save the missing rules permanently for you. Do a reboot just to check that it has saved then run pivpn -d
again to see if it still asks you to add the missing rules again. If it does not, then it should be working as normal. Makes sense?
When you run
pivpn -d
just confirm adding the missing rules that pivpn finds. So, do this first then runsudo /sbin/iptables-save > /etc/iptables/rules.v4
. This should save the missing rules permanently for you. Do a reboot just to check that it has saved then runpivpn -d
again to see if it still asks you to add the missing rules again. If it does not, then it should be working as normal. Makes sense?
Yes, i already did but the problem persists. As soon as i run the pivpn -d again everything is fixed... but even .... i did what yo usaid and again the same behaviour
Reopening as @Grandclaw is still having issues.
@OfficialMuffin Says solved at #1752
Ah, thanks. Ill close then 😄