iptables blocking traffic when set to accept for interface

Question

I am setting up a vm to use the tor network. I have configured it with 2 network cards :

# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.8.92  netmask 255.255.254.0  broadcast 192.168.9.255
        ether 32:e7:82:9e:31:07  txqueuelen 1000  (Ethernet)
        RX packets 16080  bytes 609272 (594.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 256  bytes 63970 (62.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.8.69  netmask 255.255.254.0  broadcast 192.168.9.255
        ether 9e:cb:47:6a:c8:be  txqueuelen 1000  (Ethernet)
        RX packets 15815  bytes 540457 (527.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 28  bytes 1776 (1.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets 60  bytes 4640 (4.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 60  bytes 4640 (4.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

My iptables rules are as follows :

*nat

:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53

-A OUTPUT -o lo -j RETURN
-A OUTPUT -m owner --uid-owner 107 -j RETURN
-A OUTPUT -p udp -m udp --dport 123 -j REDIRECT --to-ports 123
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A OUTPUT -p tcp -m tcp --dport 9050 -j REDIRECT --to-ports 9050

COMMIT

*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Accept connections from local LAN on eth1
-A INPUT -i eth1 -j ACCEPT

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m owner --uid-owner 107 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9050 -j ACCEPT

# Allow access to apt-proxy
-A OUTPUT -d 192.168.8.250 -p tcp -m tcp --dport 3142 -j ACCEPT

COMMIT

Everything works ok from the VM, but for some reason i am unable to ssh to the VM via 192.168.8.69 (the IP address of eth1), despite having the first rule in the filter chain set to accept everything on eth1.

Using :

-A INPUT -s 192.168.8.0/23 -p tcp -m tcp --dport 22 -j ACCEPT # Works
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT #Doesn't work
-A INPUT -i eth1 -j ACCEPT #Doesn't work

Anyone able to tell me what i'm missing here?

Thanks Using Debian Stretch, no GUI, XEN-ng hypervisor

Did you intend to put both NICs in the same network? This is almost certainly wrong. Especially if you are building something like a Tor proxy box. — Michael Hampton, Dec 23 '18 at 18:38
Yup, both on same network. default route is via eth0, and tor is sending its traffic out this interface, all ports blocked on eth0 other than that used by tor. eth1 is used for connecting to the tor box from my workstation via ssh. — Marl, Dec 23 '18 at 18:49
Why have two NICs, then? It doesn't sound like you actually need two. — Michael Hampton, Dec 23 '18 at 18:54
On linux using two NICs on same LAN requires special settings related to arp and/or routing protection, or you get random results. Don't believe that the traffic flows through the interface where you configured the IP . see for example my answer there: https://serverfault.com/a/900958/217515 . Don't use two NICs in the same IP LAN. Do use two IPs on the same NIC (this works better when using `ip address` rather than the obsolete tool `ifconfig`) instead or two IPs in two different IP LANs. — A.B, Dec 26 '18 at 20:44

score 0 · Answer 1 · answered Dec 23 '18 at 19:48

your firewalls rules are a mixed, you are using stateless rules and statefulrules , you are using this to track the connections states:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

You need a new rules as follow to allow a new connection:

iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -j ACCEPT

iptables blocking traffic when set to accept for interface

1 Answers1