search

chucklessducks / VPS-Wireguard-Nginx-Mailcow

My journey to make my own email server.
56 stars 7 forks source link

Better IPtables #4

Open madeofstown opened 1 year ago

madeofstown commented 1 year ago

When using mailcow on my local server I could not get it working 100% (TLSA, damn you!) with the iptables rules described in the instructions. The sudo iptables -P FORWARD DROP rule specifically was the main problem because the wireguard install script used for the VPS already sets up the proper rules to forward all traffic (IPv4 and IPv6) from client > VPS > Internet (as VPS IP). I did some experimenting and came up with a bash scrip to add the correct iptables and ip6tables rules for forwarding traffic from the Internet > VPS > client on the specified ports. Run this script INSTEAD of adding ANY OTHER iptables or ip6tables rules from the wiki:

#!/bin/bash
set -x

# SET PUBLIC IP INTERFACE NAME
ni=ens192

# SET FORWARDED PORTS
TCP_PORTS="25 80 81 110 143 443 465 587 993 995 4190"

for p in $TCP_PORTS
do
    # Allow traffic on specified ports
    sudo ip6tables -A FORWARD -i $ni -o wg0 -p tcp --syn --dport $p -m conntrack --ctstate NEW -j ACCEPT
    sudo iptables -A FORWARD -i $ni -o wg0 -p tcp --syn --dport $p -m conntrack --ctstate NEW -j ACCEPT
    # Forward traffic from public network to wg0 on specified ports
    sudo ip6tables -t nat -A PREROUTING -i $ni -p tcp --dport $p -j DNAT --to-destination fddd:2c4:2c4:2c4::2
    sudo iptables -t nat -A PREROUTING -i $ni -p tcp --dport $p -j DNAT --to-destination 10.7.0.2
    # Forward traffic from wg0 back to public network on specified ports
    sudo ip6tables -t nat -A POSTROUTING -o wg0 -p tcp --dport $p -d fddd:2c4:2c4:2c4::2 -j SNAT --to-source fddd:2c4:2c4:2c4::1
    sudo iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport $p -d 10.7.0.2 -j SNAT --to-source 10.7.0.1
done

I've also added the following lines to the VPS's wg0.conf file at the end of the [Interface] section:

# packet forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1; sysctl -w net.ipv6.conf.all.forwarding=1

# masquerading
PostUp =   ip6tables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = ip6tables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

These should not be necessary but if you find you are having issues go ahead and add them if you want to replicate my environment.

nihtegale commented 10 months ago

Do you still use this setup? For some reason no matter what I do, I still have an issue with TLSA, in my case error is 111/110. I've used:

So forwarding works as nmap and delivery of emails work but still this is not 100% solution.

From what I understand and found on Google, this is an issue with SNAT/DNAT and/or DNS. What I've discovered is that if you set hosts mail.domain.tld to internal address (127.0.1.1) within VMs and also inside containers to a VMs IP in your network then TLSA seem to generate/work.

Thanks for any tips!