Open Twert8 opened 8 hours ago
and disable automatic generation of iptables/nftables reliant commands at all
It's mention on the home page: -a option automatically adds an iptables rule (or a few iptables rules) for you, udp2raw relies on this iptables rule to work stably. Be aware you dont forget -a (its a common mistake). If you dont want udp2raw to add iptables rule automatically, you can add it manually(take a look at -g option) and omit -a.
You can always disable -a
, so that automatically adding is disabled
It would be a bad practice to create a mess in the system by installing iptables in addition to nftables or removing nftables at all.
Not really true. On newer linux distribution iptables
is simply a compatible layer in user space that translate your input to nftables(kernel), and it has no problem of coexisting with nftables
(command)
If you really don't want to install the iptables
command , you have the option of using -g
to generate the iptables. You translate them into nftables manually and add manually.
# ./udp2raw -c -l0.0.0.0:3333 -r44.55.66.77:4096 -k "passwd" --raw-mode faketcp -g
generated iptables rule:
iptables -I INPUT -s 44.55.66.77 -p tcp -m tcp --sport 4096 -j DROP
you tranlsate it to something like:
chain input {
ip saddr 44.55.66.77 tcp sport 4096 drop;
}
and add manually
# ./udp2raw -s -l0.0.0.0:4096 -r 127.0.0.1:7777 -k "passwd" --raw-mode faketcp -g
generated iptables rule:
iptables -I INPUT -p tcp -m tcp --dport 4096 -j DROP
you tranlsate it to something like:
chain input {
tcp dport 4096 drop;
}
and add manually
create an instruction on how to configure nftables
okay, I will add instructions in wiki or help page, and add the equivalent nftables commands into -g
's output.
Thank you! So, the only purpose for firewall rules is to protect Linux stack from processing TCP segments?
I configured the endoints, Wireguards sends packets but does not receive them, and I see in the udp2raw logs at the client multiple passes from client_handshake to client_idle. At the server, I see multiple received syn,sent syn ack back
entries from different ports and resets like [WARN][IP.IP.IP.IP,47279]rst==1,cnt=1.
If possible, appreciate if you could create a step-by-step guide on how to establish WireGuard connection between udp2raw client and server with manual nftables firewall entries. Thank you!
So, the only purpose for firewall rules is to protect Linux stack from processing TCP segments?
Yes
At the server, I see multiple received syn,sent syn ack back entries from different ports and resets like [WARN][IP.IP.IP.IP,47279]rst==1,cnt=1.
That usually means the iptables/nftables is not working correctly.
Maybe better you install iptables
and try. My above nftables are NOT tested since I don't have the environements at hand.
If possible, appreciate if you could create a step-by-step guide on how to establish WireGuard connection between udp2raw client and server with manual nftables firewall entries. Thank you!
No, I don't plan to add more step-by-step guides for very specific use cases. User with networking experience should be able to figure out it easily.
But below are some hints on the wiki.
https://github.com/wangyu-/udp2raw/wiki/udp2raw---wireguard-example-configurations
Hi everyone! I tried to run udp2raw in Debian 12 unsuccessfully. Based on what I see in udp2raw log, it tries to install iptables rules, which fails, because I have no iptables installed in my systems, I'm wondering why udp2raw tries to do that - iptables is obsolete for a long time already and was replaced by nftables in recent Linux distributions. I don't want to create a mess in the system by installing iptables in addition to nftables. However, I haven't found yet how to run udp2raw at nftables-based systems. Does anyone know how to do that? Appreciate your help!