# TCP packets aren't forwarding with iptables [SOLVED]

## rjolley

I've run into an odd situation and I can't figure out the cause of it. On my linux server, I have OpenVPN and iptables installed. They were configured and working fine, but about a week ago, they stopped working. There were no changes to those files that I remember, but we did have some power outages due to storms in the area. I redid the iptables rules to see if that was the issue, but nothing has worked so far.

When I connect to my VPN, I can ping a windows server on the backend with no problem, but I can't RDP to the server anymore. Looking at the logs from iptables, it appears that the TCP packets are not forwarding, but the UDP and ICMP packets are.

When I run ping 192.168.1.6 from my VPN'd machine, I get the following:

```
Oct 11 19:04:08 [kernel] [15542.537009] FORWARD (tun0): IN=tun0 OUT=eth0 MAC= SRC=10.42.42.2 DST=192.168.1.6 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1607 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=134

Oct 11 19:04:08 [kernel] [15542.537025] POSTROUTING (eth0): IN= OUT=eth0 SRC=10.42.42.2 DST=192.168.1.6 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1607 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=134

Oct 11 19:04:09 [kernel] [15543.537585] FORWARD (tun0): IN=tun0 OUT=eth0 MAC= SRC=10.42.42.2 DST=192.168.1.6 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1608 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=135

Oct 11 19:04:10 [kernel] [15544.538232] FORWARD (tun0): IN=tun0 OUT=eth0 MAC= SRC=10.42.42.2 DST=192.168.1.6 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1609 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=136

Oct 11 19:04:11 [kernel] [15545.537921] FORWARD (tun0): IN=tun0 OUT=eth0 MAC= SRC=10.42.42.2 DST=192.168.1.6 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1610 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=137

```

When I run nmap -sU 192.168.1.6, I get this (this is the last few lines):

```
Oct 11 19:05:53 [kernel] [15647.187778] FORWARD (tun0): IN=tun0 OUT=eth0 MAC= SRC=10.42.42.2 DST=192.168.1.6 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=5435 PROTO=UDP SPT=34930 DPT=61142 LEN=8

Oct 11 19:05:53 [kernel] [15647.187781] POSTROUTING (eth0): IN= OUT=eth0 SRC=10.42.42.2 DST=192.168.1.6 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=5435 PROTO=UDP SPT=34930 DPT=61142 LEN=8

Oct 11 19:05:53 [kernel] [15647.187793] FORWARD (tun0): IN=tun0 OUT=eth0 MAC= SRC=10.42.42.2 DST=192.168.1.6 LEN=28 TOS=0x00 PREC=0x00 TTL=41 ID=19617 PROTO=UDP SPT=34930 DPT=43370 LEN=8

Oct 11 19:05:53 [kernel] [15647.187795] POSTROUTING (eth0): IN= OUT=eth0 SRC=10.42.42.2 DST=192.168.1.6 LEN=28 TOS=0x00 PREC=0x00 TTL=41 ID=19617 PROTO=UDP SPT=34930 DPT=43370 LEN=8

Oct 11 19:05:53 [kernel] [15647.392480] FORWARD (tun0): IN=tun0 OUT=eth0 MAC= SRC=10.42.42.2 DST=192.168.1.6 LEN=28 TOS=0x00 PREC=0x00 TTL=44 ID=4025 PROTO=UDP SPT=34931 DPT=43370 LEN=8

Oct 11 19:05:53 [kernel] [15647.392487] POSTROUTING (eth0): IN= OUT=eth0 SRC=10.42.42.2 DST=192.168.1.6 LEN=28 TOS=0x00 PREC=0x00 TTL=44 ID=4025 PROTO=UDP SPT=34931 DPT=43370 LEN=8

Oct 11 19:05:53 [kernel] [15647.393178] FORWARD (tun0): IN=tun0 OUT=eth0 MAC= SRC=10.42.42.2 DST=192.168.1.6 LEN=28 TOS=0x00 PREC=0x00 TTL=50 ID=31371 PROTO=UDP SPT=34931 DPT=61142 LEN=8

Oct 11 19:05:53 [kernel] [15647.393186] POSTROUTING (eth0): IN= OUT=eth0 SRC=10.42.42.2 DST=192.168.1.6 LEN=28 TOS=0x00 PREC=0x00 TTL=50 ID=31371 PROTO=UDP SPT=34931 DPT=61142 LEN=8

Oct 11 19:05:54 [kernel] [15647.605352] FORWARD (tun0): IN=tun0 OUT=eth0 MAC= SRC=10.42.42.2 DST=192.168.1.6 LEN=28 TOS=0x00 PREC=0x00 TTL=56 ID=47567 PROTO=UDP SPT=34932 DPT=61142 LEN=8

Oct 11 19:05:54 [kernel] [15647.605360] POSTROUTING (eth0): IN= OUT=eth0 SRC=10.42.42.2 DST=192.168.1.6 LEN=28 TOS=0x00 PREC=0x00 TTL=56 ID=47567 PROTO=UDP SPT=34932 DPT=61142 LEN=8

Oct 11 19:05:54 [kernel] [15647.605692] FORWARD (tun0): IN=tun0 OUT=eth0 MAC= SRC=10.42.42.2 DST=192.168.1.6 LEN=28 TOS=0x00 PREC=0x00 TTL=46 ID=6687 PROTO=UDP SPT=34932 DPT=43370 LEN=8

Oct 11 19:05:54 [kernel] [15647.605700] POSTROUTING (eth0): IN= OUT=eth0 SRC=10.42.42.2 DST=192.168.1.6 LEN=28 TOS=0x00 PREC=0x00 TTL=46 ID=6687 PROTO=UDP SPT=34932 DPT=43370 LEN=8

Oct 11 19:05:57 [kernel] [15650.488625] POSTROUTING (eth0): IN= OUT=eth0 SRC=192.168.1.42 DST=192.168.1.0 LEN=256 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=236

Oct 11 19:05:57 [kernel] [15650.488663] POSTROUTING (tun0): IN= OUT=tun0 SRC=192.168.1.42 DST=10.42.42.0 LEN=256 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=236

```

However, when I try to connect with RDP, I get this:

```
Oct 11 19:06:55 [kernel] [15708.646789] INPUT (tun0): IN=tun0 OUT= MAC= SRC=10.42.42.2 DST=192.168.1.6 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=1612 DF PROTO=TCP SPT=36494 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0

Oct 11 19:06:58 [kernel] [15711.640577] INPUT (tun0): IN=tun0 OUT= MAC= SRC=10.42.42.2 DST=192.168.1.6 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=1613 DF PROTO=TCP SPT=36494 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0

Oct 11 19:07:04 [kernel] [15717.634299] INPUT (tun0): IN=tun0 OUT= MAC= SRC=10.42.42.2 DST=192.168.1.6 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=1614 DF PROTO=TCP SPT=36494 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0

```

The TCP packets are handled as if the VPN server should handle them, but they are clearly marked as for 192.168.1.6

Here are my iptables rules:

```
# iptables -S

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-A INPUT -d 10.42.42.0/24 -i eth0 -j LOG --log-prefix "INPUT (tun0): "

-A INPUT -i tun0 -j LOG --log-prefix "INPUT (tun0): "

-A INPUT -i lo -j ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i eth0 -j ACCEPT

-A INPUT -i tun0 -j ACCEPT

-A FORWARD -i tun0 -j LOG --log-prefix "FORWARD (tun0): "

-A FORWARD -i tun0 -o tun0 -j ACCEPT

-A FORWARD -i eth0 -o tun0 -j ACCEPT

-A FORWARD -i tun0 -o eth0 -j ACCEPT

-A FORWARD -i eth0 -o eth0 -j ACCEPT

-A FORWARD -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -d 10.42.42.0/24 -o eth0 -j LOG --log-prefix "OUTPUT (tun0): "

-A OUTPUT -o tun0 -p tcp -j LOG --log-prefix "OUTPUT (tun0): "

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -o tun0 -j ACCEPT

# iptables -S -tnat

-P PREROUTING ACCEPT

-P INPUT ACCEPT

-P OUTPUT ACCEPT

-P POSTROUTING ACCEPT

-A POSTROUTING -o eth0 -j LOG --log-prefix "POSTROUTING (eth0): "

-A POSTROUTING -o eth0 -j MASQUERADE

-A POSTROUTING -o tun0 -j LOG --log-prefix "POSTROUTING (tun0): "

# iptables -S -tmangle

-P PREROUTING ACCEPT

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-P POSTROUTING ACCEPT

# iptables -S -traw

-P PREROUTING ACCEPT

-P OUTPUT ACCEPT

```

Any help would be appreciated.Last edited by rjolley on Mon Oct 15, 2012 9:35 pm; edited 1 time in total

----------

## Hu

What is the output of emerge --info?  I want to see your uname, but other information might help too.

----------

## Ant P.

What's /proc/sys/net/ipv4/conf/all/forwarding set to?

----------

## rjolley

 *Hu wrote:*   

> What is the output of emerge --info?  I want to see your uname, but other information might help too.

 

Sure thing:

```

sandbase etc # emerge --info

Portage 2.1.11.26 (default/linux/amd64/10.0, gcc-4.6.3, glibc-2.15-r3, 3.6.1-gentoo x86_64)

=================================================================

System uname: Linux-3.6.1-gentoo-x86_64-Intel-R-_Core-TM-_i5-2500K_CPU_@_3.30GHz-with-gentoo-2.2

Timestamp of tree: Thu, 11 Oct 2012 21:15:01 +0000

app-shells/bash:          4.2_p37

dev-java/java-config:     2.1.12

dev-lang/python:          2.6.8, 2.7.3-r2, 3.1.5, 3.2.3-r1

dev-util/cmake:           2.8.9-r1

dev-util/pkgconfig:       0.27.1

sys-apps/baselayout:      2.2

sys-apps/openrc:          0.10.5

sys-apps/sandbox:         2.6

sys-devel/autoconf:       2.13, 2.69

sys-devel/automake:       1.9.6-r3, 1.10.3, 1.11.6, 1.12.4

sys-devel/binutils:       2.22.90

sys-devel/gcc:            4.5.4, 4.6.3

sys-devel/gcc-config:     1.7.3

sys-devel/libtool:        2.4.2

sys-devel/make:           3.82-r4

sys-kernel/linux-headers: 3.6 (virtual/os-headers)

sys-libs/glibc:           2.15-r3

Repositories: gentoo

ACCEPT_KEYWORDS="amd64 ~amd64"

ACCEPT_LICENSE="* -@EULA dlj-1.1 Oracle-BCLA-JavaSE"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=core2 -mtune=generic -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/lib/hsqldb"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/games/angband/edit/ /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-march=core2 -mtune=generic -O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FCFLAGS="-O2 -pipe"

FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr"

FFLAGS="-O2 -pipe"

GENTOO_MIRRORS="http://www.cyberuse.com/gentoo/ http://mirror.datapipe.net/gentoo http://gentoo.mirrors.easynews.com/linux/gentoo/ http://chi-10g-1-mirror.fastsoft.net/pub/linux/gentoo/gentoo-distfiles/ http://www.gtlib.gatech.edu/pub/gentoo http://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://gentoo.netnitco.net http://gentoo.osuosl.org/ http://gentoo.mirrors.pair.com/"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j5"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY=""

SYNC="rsync://rsync.us.gentoo.org/gentoo-portage"

USE="X Xaw3d a52 aac aalib acl aio alsa amd64 apache2 apng audacious authdaemond avahi avx bash-completion berkdb bindist bluetooth bzip2 cairo calendar caps cdda cddb clamav clamdtop cli compat consolekit cracklib cron crypt cue cups curl curlwrappers cxx dbus declarative device-mapper dga directfb diskio dovecot-sasl dri dvd exif expat extensible extras faac fbcon fbdev ffmpeg flac fontconfig fortran gcrypt gd gdbm geoip ggi gif gles gles1 gles2 gnutls gpg gpm graphviz gstreamer gudev howl-compat httpd iconv icu id3tag ident imagemagick imap imlib intl iodbc iostats ipv6 ithreads java jce jpeg jpeg2k kde lame lcms libcaca libedit libkms libnl libnotify libssh2 lm_sensors logrotate lua mad maildir mdnsresponder-compat midi mikmod milter mms mmx mng mod modules mono motif mp3 mp4 mpeg mudflap multilib musicbrainz nas ncurses nettle network networkmanager nls nptl nsplugin nss odbc ogg opengl openmp openssl openvg oracle oss pam pango passwordsave pcre pdf pdo perl phonon php pic pkcs11 plasma plugins png policykit pop postgres pppd profile pulseaudio python qt3support qt4 rar raw rdesktop readline ruby samba sasl schroedinger sdl sdl-image server session sftp sidebar slang smime smp smtp sna snmp soap soup spamassassin speex spell sql sse sse2 sse3 ssl ssse3 svg swat tcl tcpd threads tiff timidity tk truetype udev unicode upnp usb utils v4l v4l2 vaapi vhosts vim-syntax vlc vnc vorbis vpx webkit winbind wmf x264 xattr xcb xcomposite xinerama xinetd xml xmlreader xmlrpc xmlwriter xorg xrandr xscreensaver xsl xv xvfb xvid zeroconf zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="imagemap auth_digest actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="evdev mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

```

 *Ant P. wrote:*   

> What's /proc/sys/net/ipv4/conf/all/forwarding set to?

 

It's set to 1.

```
sandbase ~ # cat /proc/sys/net/ipv4/conf/all/forwarding

1

```

----------

## b0nafide

Any other service on the backend using TCP? ie. samba/cifs?

----------

## rjolley

 *b0nafide wrote:*   

> Any other service on the backend using TCP? ie. samba/cifs?

 

Yes, those services run on the Linux server which is the middleman in this setup. I can connect to the server thru ssh from either the box that's local or the box that's on vpn.

On the box that's local, I have vnc running as well. I am unable to connect to that port from the vpn box, but I can from the Linux server:

```
sandbase ~ # telnet 192.168.1.6 5900

Trying 192.168.1.6...

Connected to 192.168.1.6.

Escape character is '^]'.

RFB 003.008

^]

telnet> quit

Connection closed.

VPN ~

$ telnet 192.168.1.6 5900

Trying 192.168.1.6...

telnet: Unable to connect to remote host: Connection timed out

```

----------

## Hu

There are some routing fixes related to NAT in 3.6.2, which seem to be for a regression introduced somewhere in the 3.6 series.  Please upgrade and try again.

----------

## rjolley

Ok, I'll give it a try.

----------

## rjolley

Not sure why it won't let me update my previous post.

Anyway, that was it. Thought it could be a kernel issue, but since I hadn't seen any info about a kernel bug while searching, I thought it was something else. Maybe I'll slow down on the kernel updates.  :Smile: 

Thanks for your help Hu, Ant, and b0nafide.

----------

