VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
It seems on some systems, where the nft backend is supported, iptables-nft gets used correctly to configure the nft firewall by Gluetun, but iptables-legacy is left untouched. I've tested it, and for example adding a drop rule in any of the two blocks it for the system, so this should be fine.
However, as shown in the logs below by @DaBlincx - iptables-legacy shows packets and bytes that went through the ACCEPT policy of iptables-legacy, although the iptables-nft gets its traffic as well. We should double check why that is.
Share your logs (at least 10 lines)
these were run immediately after starting gluetun (and the rest of my docker-compose config) and waiting for it to be connected
E:\mediaConfig>docker exec gluetun iptables-legacy -t filter -vL
Chain INPUT (policy ACCEPT 18167 packets, 13M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 25567 packets, 2969K bytes)
pkts bytes target prot opt in out source destination
E:\mediaConfig>docker exec gluetun iptables-nft -t filter -vL
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy DROP 115 packets, 18652 bytes)
pkts bytes target prot opt in out source destination
1139 101K ACCEPT all -- lo any anywhere anywhere
54402 45M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
34 2040 ACCEPT all -- eth0 any anywhere 172.18.0.0/16
119 6784 ACCEPT tcp -- tun0 any anywhere anywhere tcp dpt:55054
116 13651 ACCEPT udp -- tun0 any anywhere anywhere udp dpt:55054
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 39159 packets, 3108K bytes)
pkts bytes target prot opt in out source destination
1139 101K ACCEPT all -- any lo anywhere anywhere
24396 3848K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- any eth0 f07d39b24ba9 172.18.0.0/16
1 60 ACCEPT tcp -- any eth0 anywhere unn-149-88-19-225.datapacket.com tcp dpt:https
12739 1269K ACCEPT all -- any tun0 anywhere anywhere
E:\mediaConfig>docker exec gluetun iptables -t filter -vL
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy DROP 115 packets, 18652 bytes)
pkts bytes target prot opt in out source destination
1149 102K ACCEPT all -- lo any anywhere anywhere
54421 45M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
34 2040 ACCEPT all -- eth0 any anywhere 172.18.0.0/16
125 7124 ACCEPT tcp -- tun0 any anywhere anywhere tcp dpt:55054
116 13651 ACCEPT udp -- tun0 any anywhere anywhere udp dpt:55054
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 39159 packets, 3108K bytes)
pkts bytes target prot opt in out source destination
1149 102K ACCEPT all -- any lo anywhere anywhere
24412 3850K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- any eth0 f07d39b24ba9 172.18.0.0/16
1 60 ACCEPT tcp -- any eth0 anywhere unn-149-88-19-225.datapacket.com tcp dpt:https
12739 1269K ACCEPT all -- any tun0 anywhere anywhere
E:\mediaConfig>docker exec gluetun iptables-legacy -t nat -vL
Chain PREROUTING (policy ACCEPT 221 packets, 21845 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 200 packets, 18129 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 45284 packets, 3877K bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER_OUTPUT all -- any any anywhere 127.0.0.11
Chain POSTROUTING (policy ACCEPT 6125 packets, 769K bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER_POSTROUTING all -- any any anywhere 127.0.0.11
Chain DOCKER_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any any anywhere 127.0.0.11 tcp dpt:domain to:127.0.0.11:44693
0 0 DNAT udp -- any any anywhere 127.0.0.11 udp dpt:domain to:127.0.0.11:54288
Chain DOCKER_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT tcp -- any any 127.0.0.11 anywhere tcp spt:44693 to::53
0 0 SNAT udp -- any any 127.0.0.11 anywhere udp spt:54288 to::53
E:\mediaConfig>docker exec gluetun iptables-nft -t nat -vL
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
E:\mediaConfig>docker exec gluetun iptables -t nat -vL
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:
do not ask for updates, be patient
:+1: the issue to show your support instead of commenting
@qdm12 usually checks issues at least once a week, if this is a new urgent bug,
revert to an older tagged container image
Is this urgent?
No
Host OS
Any
CPU arch
None
VPN service provider
AirVPN
What are you using to run the container
docker run
What is the version of Gluetun
2024-08-14 latest
What's the problem 🤔
It seems on some systems, where the nft backend is supported,
iptables-nft
gets used correctly to configure the nft firewall by Gluetun, but iptables-legacy is left untouched. I've tested it, and for example adding a drop rule in any of the two blocks it for the system, so this should be fine.However, as shown in the logs below by @DaBlincx - iptables-legacy shows packets and bytes that went through the ACCEPT policy of iptables-legacy, although the iptables-nft gets its traffic as well. We should double check why that is.
Share your logs (at least 10 lines)