search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.8k stars 364 forks source link

Bug: investigate if iptables-legacy must be changed if iptables-nft is already set #2414

Open qdm12 opened 2 months ago

qdm12 commented 2 months ago

Is this urgent?

No

Host OS

Any

CPU arch

None

VPN service provider

AirVPN

What are you using to run the container

docker run

What is the version of Gluetun

2024-08-14 latest

What's the problem 🤔

It seems on some systems, where the nft backend is supported, iptables-nft gets used correctly to configure the nft firewall by Gluetun, but iptables-legacy is left untouched. I've tested it, and for example adding a drop rule in any of the two blocks it for the system, so this should be fine.

However, as shown in the logs below by @DaBlincx - iptables-legacy shows packets and bytes that went through the ACCEPT policy of iptables-legacy, although the iptables-nft gets its traffic as well. We should double check why that is.

Share your logs (at least 10 lines)

these were run immediately after starting gluetun (and the rest of my docker-compose config) and waiting for it to be connected

E:\mediaConfig>docker exec gluetun iptables-legacy -t filter -vL
Chain INPUT (policy ACCEPT 18167 packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 25567 packets, 2969K bytes)
 pkts bytes target     prot opt in     out     source               destination
E:\mediaConfig>docker exec gluetun iptables-nft -t filter -vL
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy DROP 115 packets, 18652 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1139  101K ACCEPT     all  --  lo     any     anywhere             anywhere
54402   45M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   34  2040 ACCEPT     all  --  eth0   any     anywhere             172.18.0.0/16
  119  6784 ACCEPT     tcp  --  tun0   any     anywhere             anywhere             tcp dpt:55054
  116 13651 ACCEPT     udp  --  tun0   any     anywhere             anywhere             udp dpt:55054

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 39159 packets, 3108K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1139  101K ACCEPT     all  --  any    lo      anywhere             anywhere
24396 3848K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    eth0    f07d39b24ba9         172.18.0.0/16
    1    60 ACCEPT     tcp  --  any    eth0    anywhere             unn-149-88-19-225.datapacket.com  tcp dpt:https
12739 1269K ACCEPT     all  --  any    tun0    anywhere             anywhere
E:\mediaConfig>docker exec gluetun iptables -t filter -vL
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy DROP 115 packets, 18652 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1149  102K ACCEPT     all  --  lo     any     anywhere             anywhere
54421   45M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   34  2040 ACCEPT     all  --  eth0   any     anywhere             172.18.0.0/16
  125  7124 ACCEPT     tcp  --  tun0   any     anywhere             anywhere             tcp dpt:55054
  116 13651 ACCEPT     udp  --  tun0   any     anywhere             anywhere             udp dpt:55054

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 39159 packets, 3108K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1149  102K ACCEPT     all  --  any    lo      anywhere             anywhere
24412 3850K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    eth0    f07d39b24ba9         172.18.0.0/16
    1    60 ACCEPT     tcp  --  any    eth0    anywhere             unn-149-88-19-225.datapacket.com  tcp dpt:https
12739 1269K ACCEPT     all  --  any    tun0    anywhere             anywhere
E:\mediaConfig>docker exec gluetun iptables-legacy -t nat -vL
Chain PREROUTING (policy ACCEPT 221 packets, 21845 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 200 packets, 18129 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 45284 packets, 3877K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER_OUTPUT  all  --  any    any     anywhere             127.0.0.11

Chain POSTROUTING (policy ACCEPT 6125 packets, 769K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER_POSTROUTING  all  --  any    any     anywhere             127.0.0.11

Chain DOCKER_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  any    any     anywhere             127.0.0.11           tcp dpt:domain to:127.0.0.11:44693
    0     0 DNAT       udp  --  any    any     anywhere             127.0.0.11           udp dpt:domain to:127.0.0.11:54288

Chain DOCKER_POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  any    any     127.0.0.11           anywhere             tcp spt:44693 to::53
    0     0 SNAT       udp  --  any    any     127.0.0.11           anywhere             udp spt:54288 to::53
E:\mediaConfig>docker exec gluetun iptables-nft -t nat -vL
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
E:\mediaConfig>docker exec gluetun iptables -t nat -vL
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
github-actions[bot] commented 2 months ago

@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please: