iptables Reencaminhamento pelo proprietário, a primeira conexão sempre falha

1

Estou tentando redirecionar todas as conexões de um usuário para ir somente via túnel openvpn. o túnel usa net30.

Este é o meu upscript (depois de muitas batalhas):

#!/bin/bash
rt_table="mtunnel"

# make sure that rt table exits, e.g.
# echo 200 mtunnel >> /etc/iproute2/rt_tables

# stop blocking vpnuser, start marking it as 3
ip rule add fwmark 3 lookup "$rt_table"
iptables -t mangle -A OUTPUT -m owner --uid-owner vpnuser -j MARK --set-mark 3
iptables -D OUTPUT -m owner --uid-owner vpnuser -j REJECT

# not sure about these ones.. should this be in nat ? or is it useless
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

# fix outgoing packets
#iptables -t nat -A POSTROUTING -o $1 -j SNAT --to-source $4
iptables -t nat -A POSTROUTING -o $1 -j MASQUERADE

# route outgoing table through vpn
ip route add default via $5 dev $1 table "$rt_table"

se eu tentar hospedar um servidor netcat em um usuário normal e, em seguida, efetuar o netcat no servidor remoto (via VPN), tudo funcionará como esperado.

no entanto, quando eu hospedá-lo usando vpnuser , a primeira vez que eu netcat nada acontece (timeout eventualmente) e, em seguida, o segundo funciona normalmente. todas as vezes.

aqui é um tcpdump (na máquina host)

1st netcat (servers ack s dont get to remote host)

13:07:58.250372 IP [remote machine].40090 > [host machine].11234: Flags [S], seq 3704021254, win 65535, options [mss 1357,nop,nop,sackOK,nop,wscale 11], length 0
13:07:58.250404 IP [host machine].11234 > [remote machine].40090: Flags [S.], seq 2290570915, ack 3704021255, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:07:59.263714 IP [host machine].11234 > [remote machine].40090: Flags [S.], seq 2290570915, ack 3704021255, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:07:59.281659 IP [remote machine].40090 > [host machine].11234: Flags [S], seq 3704021254, win 65535, options [mss 1357,nop,nop,sackOK,nop,wscale 11], length 0
13:07:59.281680 IP [host machine].11234 > [remote machine].40090: Flags [S.], seq 2290570915, ack 3704021255, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:08:01.311713 IP [host machine].11234 > [remote machine].40090: Flags [S.], seq 2290570915, ack 3704021255, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

2nd netcat - normal

13:08:15.020556 IP [remote machine].42796 > [host machine].11234: Flags [S], seq 1509258173, win 65535, options [mss 1357,nop,nop,sackOK,nop,wscale 11], length 0
13:08:15.020584 IP [host machine].11234 > [remote machine].42796: Flags [S.], seq 252963595, ack 1509258174, win 29200, options [mss 1460], length 0
13:08:15.021730 IP [remote machine].42796 > [host machine].11234: Flags [.], ack 1, win 65535, length 0
13:08:16.283094 IP [remote machine].42796 > [host machine].11234: Flags [P.], seq 1:5, ack 1, win 65535, length 4
13:08:16.283117 IP [host machine].11234 > [remote machine].42796: Flags [.], ack 5, win 26000, length 0
13:08:16.501676 IP [remote machine].42796 > [host machine].11234: Flags [P.], seq 1:5, ack 1, win 65535, length 4
13:08:16.501696 IP [host machine].11234 > [remote machine].42796: Flags [.], ack 5, win 26000, length 0
13:08:16.941699 IP [remote machine].42796 > [host machine].11234: Flags [P.], seq 1:5, ack 1, win 65535, length 4
13:08:16.941728 IP [host machine].11234 > [remote machine].42796: Flags [.], ack 5, win 26000, length 0
13:08:17.562913 IP [remote machine].42796 > [host machine].11234: Flags [F.], seq 5, ack 1, win 65535, length 0
13:08:17.562948 IP [host machine].11234 > [remote machine].42796: Flags [F.], seq 1, ack 6, win 26000, length 0
13:08:17.841665 IP [remote machine].42796 > [host machine].11234: Flags [FP.], seq 1:5, ack 1, win 65535, length 4
13:08:17.841684 IP [host machine].11234 > [remote machine].42796: Flags [.], ack 6, win 26000, length 0
13:08:20.799730 IP [host machine].11234 > [remote machine].42796: Flags [F.], seq 1, ack 6, win 26000, length 0
13:08:20.800797 IP [remote machine].42796 > [host machine].11234: Flags [.], ack 2, win 64732, length 0

como você pode ver por algum motivo no primeiro exemplo, as opções do primeiro pacote (conexão ao servidor) são copiadas para o ack options [mss 1460,nop,nop,sackOK,nop,wscale 7] e de alguma forma isso não chega ao host remoto (talvez seja detectado como falsificado?)

no segundo exemplo, essas opções não estão presentes - e funciona.

há algo que está faltando / mal entendido aqui?

Id gostaria de adicionar, que para conexões de saída por vpnuser , como curling algo, ele é reencaminhado corretamente via vpn toda vez

algumas coisas adicionais:

root@localhost:~# sysctl -a | grep tun0
net.ipv4.conf.tun0.accept_local = 0     <<<<<<<<<< ?
net.ipv4.conf.tun0.accept_redirects = 1
net.ipv4.conf.tun0.accept_source_route = 1
net.ipv4.conf.tun0.arp_accept = 0
net.ipv4.conf.tun0.arp_announce = 0
net.ipv4.conf.tun0.arp_filter = 0
net.ipv4.conf.tun0.arp_ignore = 0
net.ipv4.conf.tun0.arp_notify = 0
net.ipv4.conf.tun0.bootp_relay = 0
net.ipv4.conf.tun0.disable_policy = 0
net.ipv4.conf.tun0.disable_xfrm = 0
net.ipv4.conf.tun0.drop_gratuitous_arp = 0
net.ipv4.conf.tun0.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.tun0.force_igmp_version = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.tun0.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.tun0.ignore_routes_with_linkdown = 0
net.ipv4.conf.tun0.log_martians = 0
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.tun0.medium_id = 0
net.ipv4.conf.tun0.promote_secondaries = 0
net.ipv4.conf.tun0.proxy_arp = 0
net.ipv4.conf.tun0.proxy_arp_pvlan = 0
net.ipv4.conf.tun0.route_localnet = 0
net.ipv4.conf.tun0.rp_filter = 0    <<<<
net.ipv4.conf.tun0.secure_redirects = 1
net.ipv4.conf.tun0.send_redirects = 1
net.ipv4.conf.tun0.shared_media = 1
net.ipv4.conf.tun0.src_valid_mark = 0
net.ipv4.conf.tun0.tag = 0
net.ipv4.neigh.tun0.anycast_delay = 100
net.ipv4.neigh.tun0.app_solicit = 0
net.ipv4.neigh.tun0.base_reachable_time_ms = 30000
net.ipv4.neigh.tun0.delay_first_probe_time = 5
net.ipv4.neigh.tun0.gc_stale_time = 60
net.ipv4.neigh.tun0.locktime = 100
net.ipv4.neigh.tun0.mcast_resolicit = 0
net.ipv4.neigh.tun0.mcast_solicit = 3
net.ipv4.neigh.tun0.proxy_delay = 80
net.ipv4.neigh.tun0.proxy_qlen = 64
net.ipv4.neigh.tun0.retrans_time_ms = 1000
net.ipv4.neigh.tun0.ucast_solicit = 3
net.ipv4.neigh.tun0.unres_qlen = 31
net.ipv4.neigh.tun0.unres_qlen_bytes = 65536

isso aparece nas mensagens após a segunda conexão

Sep 25 01:44:18 localhost kernel: [ 3847.337166] TCP: request_sock_TCP: Possible SYN flooding on port 11234. Sending cookies.  Check SNMP counters.
Sep 25 13:08:15 localhost kernel: [44884.232925] TCP: request_sock_TCP: Possible SYN flooding on port 11234. Sending cookies.  Check SNMP counters.
Sep 25 13:49:36 localhost kernel: [47365.429055] nr_pdflush_threads exported in /proc is scheduled for removal
Sep 25 14:33:09 localhost kernel: [49979.194689] TCP: request_sock_TCP: Possible SYN flooding on port 11234. Sending cookies.  Check SNMP counters.

EDIT: descobri que as respostas estão de alguma forma saindo pela eth0 isso é ruim ...

[Interface:tun0:]    14:48:10.224760 IP [remote].41098 > [host].11234: Flags [S], seq 2900018492, win 65535, options [mss 1357,nop,nop,sackOK,nop,wscale 11], length 0
[Interface:eth0:]    14:48:10.224778 IP [host].11234 > [remote].41098: Flags [S.], seq 767657810, ack 2900018493, win 29200, options [mss 1460], length 0
[Interface:tun0:]    14:48:10.225865 IP [remote].41098 > [host].11234: Flags [.], ack 767657811, win 65535, length 0
[Interface:tun0:]    14:48:11.794831 IP [remote].41098 > [host].11234: Flags [P.], seq 0:6, ack 1, win 65535, length 6
[Interface:tun0:]    14:48:11.794845 IP [host].11234 > [remote].41098: Flags [.], ack 6, win 26000, length 0
[Interface:tun0:]    14:48:12.021239 IP [remote].41098 > [host].11234: Flags [P.], seq 0:6, ack 1, win 65535, length 6
[Interface:tun0:]    14:48:12.021249 IP [host].11234 > [remote].41098: Flags [.], ack 6, win 26000, length 0
[Interface:tun0:]    14:48:12.451336 IP [remote].41098 > [host].11234: Flags [P.], seq 0:6, ack 1, win 65535, length 6
[Interface:tun0:]    14:48:12.451347 IP [host].11234 > [remote].41098: Flags [.], ack 6, win 26000, length 0
[Interface:tun0:]    14:48:12.605771 IP [remote].41098 > [host].11234: Flags [F.], seq 6, ack 1, win 65535, length 0
[Interface:tun0:]    14:48:12.605807 IP [host].11234 > [remote].41098: Flags [F.], seq 1, ack 7, win 26000, length 0
[Interface:eth0:]    14:48:13.361272 IP [host].11234 > [remote].41098: Flags [.], ack 8, win 26000, length 0
[Interface:tun0:]    14:48:13.361263 IP [remote].41098 > [host].11234: Flags [FP.], seq 0:6, ack 1, win 65535, length 6
[Interface:eth0:]    14:48:15.807721 IP [host].11234 > [remote].41098: Flags [F.], seq 1, ack 8, win 26000, length 0
[Interface:tun0:]    14:48:15.809015 IP [remote].41098 > [host].11234: Flags [.], ack 2, win 64732, length 0
    
por n00b32 25.09.2018 / 13:36

0 respostas