Doesn't work with default Oracle iptables rules

Question

Doesn't work with default Oracle iptables rules

Closed this issue 2 years ago · 8 comments

As of May 2022 the default iptables ruleset shipped with the ubuntu image doesn't work with this fix. I'm not getting dns resolution. It works only if iptables has been cleared which Oracle states is a security risk. Any fixes? This is my iptables-save output with WireGuard active:

# Generated by iptables-save v1.8.4 on Wed May 25 07:23:01 2022
*nat
:PREROUTING ACCEPT [511:38737]
:INPUT ACCEPT [8:4302]
:OUTPUT ACCEPT [35:2776]
:POSTROUTING ACCEPT [35:2776]
-A POSTROUTING -s 172.16.16.0/24 -o ens3 -j MASQUERADE
COMMIT
# Completed on Wed May 25 07:23:01 2022
# Generated by iptables-save v1.8.4 on Wed May 25 07:23:01 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [570:431651]
:InstanceServices - [0:0]
-A INPUT -i ens3 -p udp -m udp --dport 51820 -j ACCEPT
-A INPUT -i wg0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i wg0 -o ens3 -j ACCEPT
-A FORWARD -i ens3 -o wg0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices
-A InstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle CloudInfrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle CloudInfrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.4.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle CloudInfrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.5.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle CloudInfrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 123 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with tcp-reset
-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed May 25 07:23:01 2022

Answer 1 · 2022-05-25T07:45:14.000Z

Hello,
When I check your iptables rule, I saw u use ens3 network interface.

-A INPUT -i ens3 -p udp -m udp --dport 51820 -j ACCEPT

I think you are doing mistake at this part. Can you check your network interfaces with ifconfig command ? For example, this is my ifconfig output:

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether xxx  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000
        inet xxx  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 xxx  prefixlen 64  scopeid 0x20<link>
        ether xxx  txqueuelen 1000  (Ethernet)
        RX packets 61840520  bytes 13765089276 (13.7 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 59555628  bytes 22681218352 (22.6 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 10174250  bytes 17292759576 (17.2 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10174250  bytes 17292759576 (17.2 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 8920
        inet 10.66.66.1  netmask 255.255.255.0  destination 10.66.66.1
        inet6 xxx  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 1049636  bytes 108818936 (108.8 MB)
        RX errors 360  dropped 0  overruns 0  frame 360
        TX packets 1836361  bytes 2353659540 (2.3 GB)
        TX errors 0  dropped 486 overruns 0  carrier 0  collisions 0

Based on this log, I should use enp0s3 network interface. I think you need to double check your network interface and compare it with iptables rules. If it's correct, let's discuss about how can we fix.

Answer 2 · 2022-05-25T07:48:31.000Z

It is correct. I think Oracle has update the ubuntu base image. Here is my ip a output:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP group default qlen 1000
link/ether 02:00:17:00:5a:97 brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet 10.0.0.111/24 brd 10.0.0.255 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::17ff:fe00:5a97/64 scope link
valid_lft forever preferred_lft forever
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8920 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 172.16.16.1/24 scope global wg0
valid_lft forever preferred_lft forever
inet6 fda4:5b7a:7b3b::1/64 scope global
valid_lft forever preferred_lft forever

Answer 3 · 2022-05-25T08:12:19.000Z

Okay than, I have one more question. Did you add ingress rule which contains your wireguard rule (port) under Networking -> Virtual Cloud Networks -> [vcn-name] -> [subnet] -> Default Security List for [vcn-id] on Oracle Cloud ?

If answer is yes, I need to check server. I don't have empty server to test wg setup wizard with new ubuntu image. If it's okay to share your server login info with email, I can test it and try to find out what's causing the issue so I can update the setup steps.

Answer 4 · 2022-05-25T09:02:28.000Z

Yes, WireGuard completes the handshake successfully and transfers data both ways. I just can't resolve dns. Unfortunately I'm using my only instance at the moment. I'll see what I can do and get back to you. Where can I pm you an ssh key? Or you could pm me a public key at the email in my profile and I'll get back to you when it's authorized.

Answer 5 · 2022-05-25T09:19:52.000Z

@ugurrdemirel The email address in your profile rejected my mail as spam from a protonmail.ch address.

Answer 6 · 2022-05-25T09:24:23.000Z

@vaughngx4 can you check your e-mail ?

Answer 7 · 2022-05-25T09:30:53.000Z

@ugurrdemirel I cannot reply to the email for the same reason I stated above, please contact me on Discord at: https://discord.gg/KHFKkDHh

Answer 8 · 2022-05-25T15:03:11.000Z

Fixed, waiting to merge.