I have an OpenVPN connection between my home and work machines. On my home machine, I have iptables and iproute2 configured so that all outgoing connections to the network at work are routed through my VPN. This setup has been working fine for many years, but it recently broke, and I can't figure out why. (I've recently updated a large slew of packages. I've tried as best as I could to revert the kernel, openvpn, iptables, and iproute2 packages to a previous known-good state (it looked like the last three packages were unchanged, so I only reverted the kernel), but no luck getting things to work again.)
Running tshark at home while trying to ssh into a work machine, I see the client's SYNs going out. The server's SYN-ACK responses are coming in on the wire, but don't seem to be making it to the client.
To dig deeper, I added an iptables rule to trace the SYN-ACK packets as they traverse the iptables rules:
# iptables -t raw -A PREROUTING -s 128.X.Y.Z -j TRACE # modprobe ipt_LOG # sysctl net.netfilter.nf_log.2=ipt_LOG
Here is the output in journalctl for a single SYN-ACK packet (work machine's IP is the only thing redacted):
Apr 12 04:01:54 skaro kernel: TRACE: raw:PREROUTING:policy:2 IN=tun1 OUT= MAC= SRC=128.X.Y.Z DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22 DPT=46304 SEQ=2315529159 ACK=869928878 WINDOW=14480 RES=0x00 ACK SYN URGP=0 OPT (020405580402080A03AF3B69000D6F3601030307) Apr 12 04:01:54 skaro kernel: TRACE: mangle:PREROUTING:rule:1 IN=tun1 OUT= MAC= SRC=128.X.Y.Z DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22 DPT=46304 SEQ=2315529159 ACK=869928878 WINDOW=14480 RES=0x00 ACK SYN URGP=0 OPT (020405580402080A03AF3B69000D6F3601030307)
Rule 1 for mangle:PREROUTING is the last rule traversed. Here it is (I think this is the right command for seeing this):
# iptables -t mangle -S PREROUTING 1 -A PREROUTING -s 128.X.Y.Z/32 -j ACCEPT
According to this handy image, nat:PREROUTING is the next table the packet should have traversed, but it seems to mysteriously evaporate after mangle:PREROUTING. Anyone have any ideas?
Last edited by tazmanian (2013-04-12 08:55:02)
Nevermind. Figured it out. Reverse-path filtering was the culprit. Apparently, "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter" doesn't really work anymore. I now need to disable reverse-path filtering on a per-interface basis:
echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter