starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 18:15:50 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #152] Enable loggin iptables #138

New issue
Closed
opened 2026-03-02 07:28:01 +03:00 by kerem · 3 comments
kerem commented 2026-03-02 07:28:01 +03:00
Owner
Copy link

Originally created by @kgathi2 on GitHub (Jul 16, 2019).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/152

I believe this may be related #122

I need to view the packets that are being dropped as it seems iptables has some default rules that i need to fix for my server. (related to this: http://www.linuxhowtos.org/Security/iptables.htm#newnotsyn)

However, i am not able to view the iptables logs in order to see the offending rule. I am trying to log everything with

iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix iptables
iptables -A LOG_DROP -j DROP

iptables -N LOG_ACCEPT
iptables -A LOG_ACCEPT -j LOG --log-prefix iptables
iptables -A LOG_ACCEPT -j ACCEPT

......

Still nothing comes. How might i get to view the iptables logs?

Originally created by @kgathi2 on GitHub (Jul 16, 2019). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/152 I believe this may be related #122 I need to view the packets that are being dropped as it seems iptables has some default rules that i need to fix for my server. (related to this: http://www.linuxhowtos.org/Security/iptables.htm#newnotsyn) However, i am not able to view the iptables logs in order to see the offending rule. I am trying to log everything with ```bash iptables -N LOG_DROP iptables -A LOG_DROP -j LOG --log-prefix iptables iptables -A LOG_DROP -j DROP iptables -N LOG_ACCEPT iptables -A LOG_ACCEPT -j LOG --log-prefix iptables iptables -A LOG_ACCEPT -j ACCEPT ...... ``` Still nothing comes. How might i get to view the iptables logs?
kerem closed this issue 2026-03-02 07:28:02 +03:00
kerem commented 2026-03-02 07:28:02 +03:00
Author
Owner
Copy link

@kgathi2 commented on GitHub (Jul 18, 2019):

This was one deep rabbit hole!!
Symptoms was that a few packets were not reaching my clients. Immediate assumption was that iptables was somehow dropping them. So tried messing around with IPtables to no avail. But could see from running

iptables -L -nv

that a few packets were being dropped. Since i was on kubernetes, between the pod firewalls, node firewalls and load balancer firewalls, i was lost.

I needed to see them. Logging as prescribed all over the internet for iptables was not working. Deeper into the rabbit hole i went. Eventually i was able to log using NFLOG and ulogd2
https://blog.sleeplessbeastie.eu/2018/08/01/how-to-log-dropped-connections-from-iptables-firewall-using-netfilter-userspace-logging-daemon/

It required kernel modules so i had to mount lib/modules on host and changed my cluster to ubuntu instead of cos (I am using GKE)

Using tcpdump i was able to discover that the packets i thought were being dropped were not even making it to the iptables firewall.

tcpdump -i eth0 -nn "src host x.x.x.x" or "dst host x.x.x.x"

So if they were not making it through to the firewall, then they must have been disappearing in the tunnel. Here i found the answer in a known ipsec configuration issues
https://libreswan.org/wiki/FAQ#My_ssh_sessions_hang_or_connectivity_is_very_slow
https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/

So added a forward rule

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu

and bazinga!!! No packet loss. @hwdsl2 not sure if this requires any edit of your project, otherwise i'd have made a PR. Perhaps it's just due to my use case.

<!-- gh-comment-id:512973933 --> @kgathi2 commented on GitHub (Jul 18, 2019): This was one deep rabbit hole!! Symptoms was that a few packets were not reaching my clients. Immediate assumption was that `iptables` was somehow dropping them. So tried messing around with IPtables to no avail. But could see from running ```bash iptables -L -nv ``` that a few packets were being dropped. Since i was on kubernetes, between the pod firewalls, node firewalls and load balancer firewalls, i was lost. I needed to see them. Logging as prescribed all over the internet for `iptables` was not working. Deeper into the rabbit hole i went. Eventually i was able to log using NFLOG and ulogd2 https://blog.sleeplessbeastie.eu/2018/08/01/how-to-log-dropped-connections-from-iptables-firewall-using-netfilter-userspace-logging-daemon/ It required kernel modules so i had to mount `lib/modules` on host and changed my cluster to ubuntu instead of cos (I am using GKE) Using `tcpdump` i was able to discover that the packets i thought were being dropped were not even making it to the iptables firewall. ``` tcpdump -i eth0 -nn "src host x.x.x.x" or "dst host x.x.x.x" ``` So if they were not making it through to the firewall, then they must have been disappearing in the tunnel. Here i found the answer in a known ipsec configuration issues https://libreswan.org/wiki/FAQ#My_ssh_sessions_hang_or_connectivity_is_very_slow https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/ So added a forward rule ``` iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ``` and bazinga!!! No packet loss. @hwdsl2 not sure if this requires any edit of your project, otherwise i'd have made a PR. Perhaps it's just due to my use case.
kerem commented 2026-03-02 07:28:03 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Jul 23, 2019):

@kgathi2 Hello! Thank you for sharing with us your experience. As mentioned in the article you linked, this is caused by a bug on some specific OS versions such as Android 4.x. I believe that newer Android versions and most other platforms are not affected.

<!-- gh-comment-id:514036704 --> @hwdsl2 commented on GitHub (Jul 23, 2019): @kgathi2 Hello! Thank you for sharing with us your experience. As mentioned in the article you linked, this is caused by a bug on some specific OS versions such as Android 4.x. I believe that newer Android versions and most other platforms are not affected.
kerem commented 2026-03-02 07:28:03 +03:00
Author
Owner
Copy link

@kgathi2 commented on GitHub (Aug 8, 2019):

Hi @hwdsl2, this was in the docker image that you have prepared in this project, i believe in Debian Stretch.

The iptables i am discussion is not on the client but on the VPN server. I was not able to get the default logging with rsyslog working.

<!-- gh-comment-id:519466883 --> @kgathi2 commented on GitHub (Aug 8, 2019): Hi @hwdsl2, this was in the [docker image](https://github.com/hwdsl2/docker-ipsec-vpn-serve) that you have prepared in this project, i believe in Debian Stretch. The `iptables` i am discussion is not on the client but on the VPN server. I was not able to get the default logging with `rsyslog` working.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#138
No description provided.