2

I am having an issue establishing a ssh connection to my docker container when the docker host is connected to a vpn (nordvpn).

Here is what I have done :

  • On my router : i have port forwarded an ssh connection port to my ssh docker container port : 222. That's enought to ssh login into my container when the vpn is off.
  • For connection when the vpn is on I have whitelisted port 222 on my vpn hoping that would do the trick.

Doing a tcpdump on port 222, I found out there is a routing problem : traffic is coming in through end0 interface but it is going out throught nordlynx interface.

10:39:10.808155 end0 In IP x.x.x.x.62846 > 192.168.1.100.222: Flags [S], seq 382059475, win 64860, options [mss 1380,sackOK,TS val 1310442820 ecr 0,nop,wscale 7], length 0 10:39:10.808390 nordlynx Out IP 192.168.1.100.222 > x.x.x.x.62846: Flags [S.], seq 263244332, ack 382059476, win 65160, options [mss 1460,sackOK,TS val 2175849857 ecr 1310442820,nop,wscale 7], length 0

I have tried to ssh login directly to the docker host using the same configuration (port forwarding to port 22 and vpn whitelist port 22) and it is working fine. Here tcpdump on port 22 :

10:28:33.108572 end0 In IP x.x.x.x.3395 > 192.168.1.100.ssh: Flags [P.], seq 2808398916:2808398932, ack 3377658384, win 487, options [nop,nop,TS val 1309805121 ecr 143975779], length 16 10:28:33.151936 end0 Out IP 192.168.1.100.ssh > x.x.x.x.3395: Flags [.], ack 16, win 482, options [nop,nop,TS val 144008198 ecr 1309805121], length 0

Here is what routing tables show (I have removed entries that did not seem related to my problem). 172.23.0.1 is the ip of my container.

default dev nordlynx table 205 scope link default via 192.168.1.1 dev end0 proto dhcp src 192.168.1.100 metric 100\ 10.5.0.0/16 dev nordlynx proto kernel scope link src 10.5.0.2\ 172.23.0.0/16 dev br-d97f35d9b9ce proto kernel scope link src 172.23.0.1\ 192.168.1.0/24 dev end0 proto kernel scope link src 192.168.1.100 metric 100\ 192.168.1.1 dev end0 proto dhcp scope link src 192.168.1.100 metric 100\ local 10.5.0.2 dev nordlynx table local proto kernel scope host src 10.5.0.2\ broadcast 10.5.255.255 dev nordlynx table local proto kernel scope link src 10.5.0.2\ local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1\ local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1\ broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1\ local 172.23.0.1 dev br-d97f35d9b9ce table local proto kernel scope host src 172.23.0.1 broadcast 172.23.255.255 dev br-d97f35d9b9ce table local proto kernel scope link src 172.23.0.1\ local 192.168.1.100 dev end0 table local proto kernel scope host src 192.168.1.100\ broadcast 192.168.1.255 dev end0 table local proto kernel scope link src 192.168.1.100

And here are the iptables rules that i have in the mangle table for port 22 and 222 :

Chain PREROUTING (policy ACCEPT) ACCEPT udp -- anywhere anywhere udp dpt:222 /* nordvpn */ ACCEPT udp -- anywhere anywhere udp spt:222 /* nordvpn */ ACCEPT udp -- anywhere anywhere udp dpt:22 /* nordvpn */ ACCEPT udp -- anywhere anywhere udp spt:22 /* nordvpn */ ACCEPT udp -- anywhere anywhere udp dpt:222 /* nordvpn */ ACCEPT udp -- anywhere anywhere udp spt:222 /* nordvpn */ ACCEPT udp -- anywhere anywhere udp dpt:22 /* nordvpn */ ACCEPT udp -- anywhere anywhere udp spt:22 /* nordvpn */ ACCEPT tcp -- anywhere anywhere tcp dpt:222 /* nordvpn */ ACCEPT tcp -- anywhere anywhere tcp spt:222 /* nordvpn */ ACCEPT tcp -- anywhere anywhere tcp dpt:222 /* nordvpn */ ACCEPT tcp -- anywhere anywhere tcp spt:222 /* nordvpn */ Chain OUTPUT (policy ACCEPT) MARK udp -- anywhere anywhere udp spt:222 /* nordvpn_allowlist */ MARK set 0xe1f1 MARK udp -- anywhere anywhere udp spt:22 /* nordvpn_allowlist */ MARK set 0xe1f1 MARK tcp -- anywhere anywhere tcp spt:222 /* nordvpn_allowlist */ MARK set 0xe1f1

and here are the policy rules I have :

0: from all lookup local 32761: from all to 172.23.0.0/16 lookup main 32762: from all to 172.17.0.0/16 lookup main 32763: from all to 192.0.0.0/8 lookup main 32764: from all lookup main suppress_prefixlength 0 suppress_ifgroup 57841 32765: not from all fwmark 0xe1f1 lookup 205 32766: from all lookup main 32767: from all lookup default

Can you help me to find out what i am missing ?

Thanks !

Improve this question
2
  • What are your policy rules in ip rule? Those are what's supposed to consume the packet marks. Commented Nov 29 at 17:11
  • Thank for your answer ! I have edited my post to add my policy rules. Commented Nov 30 at 7:15

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.