Firewall – What’s wrong with NordVPN’s iptables rules? Their employees can’t fix the problem

Firewall – What’s wrong with NordVPN’s iptables rules? Their employees can’t fix the problem

👨‍💻

NordVPN for Linux has a port and subnet whitelist feature. It is enabled with these commands (for my port and subnet):

add to nordvpn whitelist subnet 192.168.1.0/24 add to nordvpn whitelist add port 22

However, when this machine is connected to a VPN, I cannot access it by SSH from another machine in my subnet. I wrote NordVPN support and they replied:

Currently, we’re having some issues with NordVPN for Linux regarding port and subnet whitelisting.

They have no useful advice to offer. I had a look at the iptables rules. They seem OK to me, but when I cleared all the rules (while connected to the VPN) I was then able to make an SSH connection to that machine from my other local machine. This indicates that the rules are not working correctly.

NordVPN rules are:

# Created by iptables-save v1.8.4 on Sun 12 Apr 16:11:29 2020 *Filter: INPUT DROP [86:19526]
: FORWARD ACCEPT [0:0]
: projection output [103:7935]
-A INPUT -I nordlynx -m conntrack -relevant to a state, established -j ACCEPT -A INPUT -s 89.87.71.71/32 -i lo -m conntrack –ctstate relevant, established -j ACCEPT -A INPUT -s 127.0. 0.0/8 -i lo -m conntrack -ctstate related, ESTABLISHED -j ACCEPT -A INPUT -s 89.87.71.71/32 -i eth0 -m conntrack –ctstate related, established -j ACCEPT -A INPUT -s 192.168 .1.2 1.0 / 24 -i eth0 -m conntrack –ctstate-related, ESTABLISHED -j ACCEPT -A INPUT -s 89.87.71.71/32 -i nordlynx -m conntrack –ctstate related, established -j ACCEPT -A INPUT -s 10.5. 0.0 / 16 -i nordlynx -m conntrack -relevant to a country, established -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp –dport 22 -j ACCEPT -A INPUT – s 127.0 .0.0 / 8 -i lo -p tcp -m tcp –dport 22 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp –dport 6568 -j ACCEPT -A INPUT – s 127.0.0.0/8 -i lo -p tcp -m tcp –dport 6568 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp –dport 7070 -j ACCEPT -A Input -s 127.0.0.0/8 -i lo -p tcp -m tcp –dport 7070 -j ACCEPT -AINPUT -s 127.0.0.0/8 -i lo -p udp -m udp –dport 51820 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i lo -m conntrack –ctstate new, linked, founder -j accept -A INPUT -s 192.168.1.0/24 -i eth0 -p udp -m udp –dport 22 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -p tcp -m tcp –dport 22 -j accept -A INPUT -s 192.168.1.0/24 -i eth0 -p udp -m udp – -dport 6568 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -p tcp -m tcp – dport 6568 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -p udp -m udp –dport 7070 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -p tcp -m tcp –dport 7070 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -p udp -m udp –dport 51820 -j ACCEPT – A INPUT -s 192.168.1.0/24 -i eth0 -m conntrack – -new, relevant, state created -j accept -A input -i lo -j accept -A output -d 103.86.99.99/32 -o lo -p udp -m udp -dport 53 -j ACCEPT -A OUTPUT -d 103.86.96.96/32 -o lo -p udp -m udp –dport 53 -j ACCEPT -A OUTPUT -d 103.86.99.99/32 -o nordlynx -p udp -m udp –dport 53 -j ACCEPT -A OUTPUT -d 103.86.96.96/32 -o nordlynx -p udp -m udp -dport 53 -j ACCEPT -A OUTPUT -o nordlynx -j ACCEPT -A OUTPUT -d 89.87.71.71/32 -o lo -j ACCEPT -A Output -d 127.0.0.0/8 -o lo -j ACCEPT -A OUTPUT -d 89.87.71.71/32 -o eth0 -j ACCEPT -A OUTPUT – d 192.168.1.0/24 -o eth0 -j ACCEPT -A OUTPUT – d 89.87.71.71/32 -o nordlynx -j ACCEPT -A OUTPUT -d 10.5.0.0/16 -o nordlynx -j ACCEPT -A OUTPUT -d 192.168 .1.0/24 -o lo -j ACCEPT -A OUTPUT -d 192.168 .1.0 / 24 -o eth0 -j ACCEPT -A OUTPUT -o lo -j Accept commit # Completed on Sunday 12 April 16:11:29 2020

I washed them with:

iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X

My SSH connection worked as desired when the rules were cleared. (I got my NordVPN rules back by restarting them.) What should be changed in the above rules for this machine to accept incoming SSH connections (port 22) from the local network?

Information added in response to the comment:

# ip -br address lo UNKNOWN 127.0.0.1/8 eth0 UP 192.168.1.3/24 nordlynx UNKNOWN 10.5.0.2/16 # ip rule 0: from all local searches 32764: from all suppress_prefixlength main search 0 32765: not from all fwmark 0xca6c search 51820 32766: from all main search 32767: from all default search # ip route default via 192.168.1.1 dev eth0 proto dhcp metric 20100 10.5.0.0/16 dev nordlynx proto kernel range link src 10.5.0.2 via 192.168.1.0/24 192.168 .1.1 dev eth0 192.168.1.0/24 dev eth0 kernel domain linker proto src 192.168.1.3 metric 100 ip route show table 51820 default dev nordlynx domain link

I am using NordVPN (nordlynx) wire guard technology. But the problem exists when using openvpn technology instead of Wireguard. I tested both ways.

[ad_1]
Don’t forget to share this post with friends !