Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

nordpy on device with two interfaces/default GWs (VLANs) #52

Open
ikarus23 opened this issue Feb 14, 2021 · 2 comments
Open

nordpy on device with two interfaces/default GWs (VLANs) #52

ikarus23 opened this issue Feb 14, 2021 · 2 comments
Labels
bug Something isn't working

Comments

@ikarus23
Copy link

Hi. First of all, thank you for making nordpy. I really like the simplicity of it and the fact it is open source.

I have an issue with reaching (SSH)) my system after running nordpy.

I have a server with two vlan interfaces, eth0.100 and eth0.200.

> ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    [ ... ]
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether d0:63:b4:00:b1:3e brd ff:ff:ff:ff:ff:ff
[ ... ]
4: eth0.200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d0:63:b4:00:b1:3e brd ff:ff:ff:ff:ff:ff
    inet 192.168.250.2/24 brd 192.168.250.255 scope global dynamic noprefixroute eth0.200
       valid_lft 2057481sec preferred_lft 2057481sec
    [ ... ]
5: eth0.100@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d0:63:b4:00:b1:3e brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0.100
       valid_lft 2057481sec preferred_lft 2057481sec
    [ ... ]

There are default routes for both interfaces (with a different metric).

> ip route
default via 192.168.0.1 dev eth0.100 proto dhcp metric 400 
default via 192.168.250.1 dev eth0.200 proto dhcp metric 401 
[ ... ]

nordpy edits the iptables. I my case it denies incoming and outgoing traffic to all networks, except to one the one, which was previously the default route network.

> iptables -S   
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0.100 -j ACCEPT
[ ... ]
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o eth0.100 -j ACCEPT
[ ... ]

My issue is: I want to access this device via SSH over the eth0.200 interface (192.168.250.0/24), But nordpy does not create the needed iptalbes entry. Could nordpy add ACCEPT rules for all internal (local) networks? Why is the default to DROP everything? Wouldn't it be enough to deny input on the tun0 interface? Sorry, I'm a bit confused by these rules.

@ikarus23 ikarus23 changed the title nordpy on device with two interfaces/default GWs (VLAN) nordpy on device with two interfaces/default GWs (VLANs) Feb 14, 2021
@morpheusthewhite
Copy link
Owner

morpheusthewhite commented Feb 14, 2021

Yes, it is definitely reasonable, I just didn't consider this case. I will handle this case

@morpheusthewhite morpheusthewhite added the bug Something isn't working label Feb 14, 2021
@ikarus23
Copy link
Author

Oh, this is great! Thank you so much!

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants