nordpy icon indicating copy to clipboard operation
nordpy copied to clipboard

Published 20 hours ago verified publisher icon morpheusthewhite

nordpy on device with two interfaces/default GWs (VLANs)

Open ikarus23 opened this issue 3 years ago • 2 comments

Hi. First of all, thank you for making nordpy. I really like the simplicity of it and the fact it is open source.

I have an issue with reaching (SSH)) my system after running nordpy.

I have a server with two vlan interfaces, eth0.100 and eth0.200.

> ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    [ ... ]
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether d0:63:b4:00:b1:3e brd ff:ff:ff:ff:ff:ff
[ ... ]
4: eth0.200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d0:63:b4:00:b1:3e brd ff:ff:ff:ff:ff:ff
    inet 192.168.250.2/24 brd 192.168.250.255 scope global dynamic noprefixroute eth0.200
       valid_lft 2057481sec preferred_lft 2057481sec
    [ ... ]
5: eth0.100@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d0:63:b4:00:b1:3e brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0.100
       valid_lft 2057481sec preferred_lft 2057481sec
    [ ... ]

There are default routes for both interfaces (with a different metric).

> ip route
default via 192.168.0.1 dev eth0.100 proto dhcp metric 400 
default via 192.168.250.1 dev eth0.200 proto dhcp metric 401 
[ ... ]

nordpy edits the iptables. I my case it denies incoming and outgoing traffic to all networks, except to one the one, which was previously the default route network.

> iptables -S   
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0.100 -j ACCEPT
[ ... ]
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o eth0.100 -j ACCEPT
[ ... ]

My issue is: I want to access this device via SSH over the eth0.200 interface (192.168.250.0/24), But nordpy does not create the needed iptalbes entry. Could nordpy add ACCEPT rules for all internal (local) networks? Why is the default to DROP everything? Wouldn't it be enough to deny input on the tun0 interface? Sorry, I'm a bit confused by these rules.

ikarus23 avatar Feb 14 '21 18:02 ikarus23

Yes, it is definitely reasonable, I just didn't consider this case. I will handle this case

morpheusthewhite avatar Feb 14 '21 21:02 morpheusthewhite

Oh, this is great! Thank you so much!

ikarus23 avatar Feb 15 '21 19:02 ikarus23