iptables headache after upgrade to Pi2

[Bosse_B]

I am still here asking...
Anyway, after the disk expansion issue I have now come to the OpenVPN functionality.
The Pi2B is running a disk image from a Pi1B where the OpenVPN server was already fully set up and working.
After starting up the Pi2B it naturally received a different IP address from DHCP than the original Pi1B had. So a number of config files have had to be modified accordingly.
But iptables is getting on my back!
There seems to be no configuration file at all where the iptables settings are all listed so they can be edited in a sensible way..
There is one particular item that bugs me and it can be shown as follows (command from an OpenVPN tutorial):

Code: Select all

pi@raspbian-pi2 ~ $ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.8.0.0/24          anywhere             to:192.168.0.142
SNAT       all  --  10.8.0.0/24          anywhere             to:192.168.0.142

Previous to rebooting after the disk expansion the result was that there were three lines, two of which showed the old IP address ending in 146.
Now after a reboot I have two identical lines, which presumably will screw it all up in the end.... (x.x.x.142 is the new valid IP.)
So how do I clear one of these entries?
It was created by the following command:

Code: Select all

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.146

while setting up OpenVPN on the old Pi1B.

Is there a way to:
1) List all of the iptables entries?
2) Clear specific entries from iptables? I assume that there are more because depending on some argument to iptables one can see other lines output.

[expandables]

So why not give the pi2 the same ip address as the pi1? Create a static IP address.
Tutorial https://www.modmypi.com/blog/tutorial-h ... ip-address

[ripat]

Is there a way to:
1) List all of the iptables entries?
2) Clear specific entries from iptables? I assume that there are more because depending on some argument to iptables one can see other lines output.

Code: Select all

iptables -nL --line-numbers

That will output something like this (extract)

Code: Select all

Chain WAN_IN (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0            /* WAN_IN-10 */ state RELATED,ESTABLISHED
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0            /* WAN_IN-20 */ state INVALID
3    LOG        all  --  0.0.0.0/0            0.0.0.0/0            /* WAN_IN-21 */ match-set ipban src LOG flags 0 level 4 prefix "[WAN_IN-21-D]"
4    DROP       all  --  0.0.0.0/0            0.0.0.0/0            /* WAN_IN-21 */ match-set ipban src
5    RETURN     tcp  --  0.0.0.0/0            192.168.0.153        /* WAN_IN-30 */ match-set guests src tcp dpt:22
6    RETURN     tcp  --  0.0.0.0/0            192.168.0.154        /* WAN_IN-31 */ tcp dpt:80
7    RETURN     tcp  --  0.0.0.0/0            192.168.0.154        /* WAN_IN-32 */ match-set guests src tcp dpt:22
8    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            /* WAN_IN-10000 default-action reject */ reject-with icmp-port-unreachable

Chain WAN_LOCAL (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0            /* WAN_LOCAL-10 */ state RELATED,ESTABLISHED
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0            /* WAN_LOCAL-20 */ state INVALID
3    DROP       all  --  0.0.0.0/0            0.0.0.0/0            /* WAN_LOCAL-21 */ match-set ipban src
4    RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            /* WAN_LOCAL-30 */ match-set guests src tcp dpt:2211
5    DROP       all  --  0.0.0.0/0            0.0.0.0/0            /* WAN_LOCAL-10000 default-action drop */

If you want to delete a specific rule in one particular chain:

Code: Select all

iptables -D WAN_LOCAL 3

[Bosse_B]

Strangely it does not work for me. I had found a similar suggestion before and tried it to no avail.
This is what I got now:

Code: Select all

pi@raspbian-pi2 /var/log $ sudo iptables -nL --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

But if I instead use this command I get some output:

Code: Select all

pi@raspbian-pi2 /var/log $ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.8.0.0/24          anywhere             to:192.168.0.142
SNAT       all  --  10.8.0.0/24          anywhere             to:192.168.0.142

So there is something in iptables that is not listed in a regular command but when using this it is shown...
And without a listed command with number one cannot delete it specifically.
I have found out in another forum that a complete purge of it all can be made using this:

Code: Select all

iptables -F // flush all chains
iptables -t nat -F
iptables -t mangle -F
iptables -X // delete all chains

But I would like to know first what I will delete....

[Bosse_B]

So why not give the pi2 the same ip address as the pi1? Create a static IP address.
Tutorial https://www.modmypi.com/blog/tutorial-h ... ip-address

Well,
I want to have both Pi units on the network at the same time and they are handled using DHCP reservations in the router. So I simply reserved the new IP for the Pi2B in the router once it had started up and gotten an IP address. Did not think that this would become the issue I think it is....

OTOH it seems like OpenVPN does work with the current setting (where iptables lists the same rule twice).
I can connect remotely via OpenVPN just fine. Except that I get a strange error message in the openvpn.log file:

Code: Select all

Mon Feb 23 14:34:37 2015 us=760084 XXXXXXX/95.199.140.255:44836 MULTI: bad source address from client [100.72.236.255], packet dropped
Mon Feb 23 16:53:04 2015 us=235248 XXXXXXX/90.236.248.208:56458 MULTI: bad source address from client [192.168.1.212], packet dropped
Mon Feb 23 16:53:42 2015 us=899526 XXXXXXX/95.195.143.150:56056 MULTI: bad source address from client [10.209.79.150], packet dropped

These are different successful connections from my Samsung Galaxy S4 phone using various network connections. The phone was just on the 4G network for the 1st and last examples and on a different (from the Pi2B) WiFi network for the middle example.
Seems not to cause harm, but nevertheless rather strange. Probably also happened on the Pi1B installation even though I have not looked for it...

[ripat]

In that case, try iptables-save that will dump all chains from all tables.

Code: Select all

$ sudo iptables-save

Output

Code: Select all

# Generated by iptables-save v1.4.14 on Mon Feb 23 17:03:57 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.146
COMMIT
# Completed on Mon Feb 23 17:03:57 2015
# Generated by iptables-save v1.4.14 on Mon Feb 23 17:03:57 2015
*filter
:INPUT ACCEPT [663:83916]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [576:62078]
COMMIT

To delete the POSTROUTING rule in the table nat:

Code: Select all

sudo iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.146

[Bosse_B]

PERFECT!
By doing iptables-save I could then edit the saved file and remove the extra line (yes there was a rule duplication there) and then restore from the edited file!
Now I see only one output when I list using:
sudo iptables -t nat -L

This is definitely going into my personal Linux How-To!
Thanks so much!!!