CaptainXLAB

Ubuntu 22.04 Cloud VM. Using iptables persistent. Saved rules file located in: /etc/iptables/rules.v4 Using this command to load changes to iptables. All changes are made by editing the rules.v4 file and restoring: sudo /sbin/iptables-restore < /etc/iptables/rules.v4 Spoiler: Network Information (VNICs, Subnets, etc) Summary: I have 3 VNICs, along with 2 OpenVPN Servers, 2 Wireguard Servers, 1 Tailscale Client and 2 ZeroTier One subnets. Here are iptables rules that I think might be important to the problem - The specific problem I have, only happens with all wireguard servers, with a "limited" user. I have a limited user, named "limited", which should: Have full access / should be fully accessible from any of the VPN subnets Should have no internet access, for security. All users besides the limited user can access everything normally. To the best of my knowledge, iptables works with "first matching rule wins". I created my rules based on that logic so far. Also to the best of my knowledge, the matching logic below does not work when used with INPUT. -m owner --uid-owner username_or_uid To limit the "limited" user, here are the rules I created with logic - First, allow the limited user on all VPN subnets: -A OUTPUT -o wg0 -m owner --uid-owner limited -j ACCEPT -A OUTPUT -o wg2 -m owner --uid-owner limited -j ACCEPT -A OUTPUT -o zt0 -m owner --uid-owner limited -j ACCEPT -A OUTPUT -o zt1 -m owner --uid-owner limited -j ACCEPT -A OUTPUT -o tailscale0 -m owner --uid-owner limited -j ACCEPT -A OUTPUT -o tun0 -m owner --uid-owner limited -j ACCEPT -A OUTPUT -o tun2 -m owner --uid-owner limited -j ACCEPT Then, drop all output to either of the VNICs: -A OUTPUT -o enp0s3 -m owner --uid-owner limited -j DROP -A OUTPUT -o enp1s0 -m owner --uid-owner limited -j DROP -A OUTPUT -o enp2s0 -m owner --uid-owner limited -j DROP User "limited" is able to ping any device connected through Tailscale, ZeroTier One and OpenVPN. I can use this command below, to "watch" how many packets matched the rules, by using this command: sudo watch -n1 -d "(iptables -tfilter -vnxL;iptables -tnat -vnxL;iptables -tmangle -vnxL;iptables -traw -vnxL;iptables -tsecurity -vnxL) | grep -vE 'pkts|Chain' | sort -nk1,1hr | column -t" User "limited" is NOT able to ping any device connected through either of the Wireguard servers. Two rules get triggered when I try to ping any device on wireguard subnet at the same time. Here are other rules I tried to use which would do the same thing, that DID NOT WORK. The final attempt I made to try and make this work has a very interesting result, which confirms that two rules are matching at the same time. If I add a rule that accepts all packets from the internal ipv4 address of enp0s3 (default vnic) - -A OUTPUT -m owner --uid-owner limited -s 10.0.0.175 -j ACCEPT Everything works and nothing is blocked for the "limited" user. (the ipv4 address 10.0.0.195 is the internal ipv4 of the VM for interface enp0s3) Indicating that iptables knows that packets coming to "limited" user from either wg0 or wg2 interface, are actually from an external source that is not in 192.168.x.x range and matches enp0s3 or enp2s0 output interfaces. 1. How are two rules getting matched at the same time, and why is DROP rule winning? 2. How does iptables know that packets coming to wireguard are from an external source? 3. Why does this happen only with wireguard and not with any other VPNs I have set up? 4. Is there any other way I could block all internet access from "limited" user and still be able to connect to devices on VPN subnets? I could not find answers to this problem anywhere and I have no idea why this is happening. Any help, suggestions and explanations would be nice. Thanks in advance!

I have an interesting theory about voltages in CPU Overclocking (at least I think so?) Note: I have X.M.P 3200MHz Enabled for G.Skill Trident Z 16GB (2x 8GB) DDR4, seems to cause a significant increase on CPU temperatures. I was trying to overclock my i7 7700k with ASUS Strix z270F. I managed to reach 5 GHz but only for not-heavy loads as my CPU isn't delidded and reaches extreme temps easily at such frequencies. (had many crashes along the way too) I kept trying to find a stable overclock, like from default turbo 4.5 GHz to around 4.6, 4.7 or 4.8 GHz. When I tried those above 4.5 frequencies, I had to use adaptive voltage (ofcourse, keeping a high manual voltage isn't good) The adaptive or offset modes stay normal when the frequency is 4.5 GHz. As soon as I make it 4.7 GHz, the required voltage to stay fully stable, bumps up from 1.2v to around 1.33v (I confirmed that for my CPU using fixed manual voltage and overnight stress tests) BUT, when in Windows, using Throttlestop, if the maximum frequency is 4.7 GHz and I manually force CPU Frequency down to 4.5 GHz, the voltage STILL stays too high for 4.5 GHz. The adaptive voltage curve increases linearly for all turbo frequencies when I increase the voltage FOR the highest frequency. (correct me if I'm wrong ) Right now if I set my CPU to 5 GHz and adaptive 1.4v, it'll still reach 95C at forced manual 4.5 GHz because it's keeping much higher voltage than required by the CPU to stay stable at 4.5 GHz, which is set according to adaptive voltage curve for all turbo core ratio multipliers, when the maximum voltage value is increased. Can't there be voltage tables or something? (like in GPUs?) Like, for example, *I KNOW* that MY CPU stays perfectly stable at these frequencies and respective voltages and temperatures: 4.5 GHz 1.215v 74C Max 4.6 GHz 1.280v 78C Max 4.7 GHz 1.330v 82C Max 4.8 GHz 1.355v 85C Max 4.9 GHz 1.380v 89C Max 5.0 GHz 1.395v 95C Max (just examples) I want to be able to set these Frequency-Voltage values in a voltage table for better temperatures and voltages when I overclock. So, if we could define voltages for every CPU frequency (for every +50 MHz or +100 MHz from the default turbo clock) (And an automatic increasing curve for all frequencies between Default MHz and +50 or +100 MHz and similar for each next +50 or +100 MHz) Currently, if my clocks are set too high, the temperatures and voltages, both, will increase a LOT at lower frequencies too, causing constant high temperatures whenever my CPU is in turbo mode. (and with a voltage table, the primary advantage would be, that this won't happen.) And I won't have to restart and reconfigure stuff in the BIOS each time I want to switch between higher clock speeds and high temps, or normal clock speeds and low temps, I'll simply have manually pre-set values in a voltage table for every +50 or +100 MHz on the adaptive CPU voltage, and click throttlestop to increase the CPU Frequency as I want. This would also allow us to find the lowest voltages our CPUs can work with at every next significant frequency jump during overclocking, which would also be specific to each of our CPUs, and would have constant best temperatures if the CPU isn't under full load at the maximum frequency. And, say I have achieved perfectly stable 4.8 GHz Overclock on my CPU. I want to go further high, and for that, all I'd have to do is find the voltage at which the CPU is stable for 4.9 GHz and set it in the table. If I get 85C on 4.8 GHz heavy CPU loads, and similarly 90C for 4.9 GHz, I can easily go back to 4.8 GHz when something too heavy is going on, which I know can cause my CPU to overheat, and increase the frequency again when I have not-as-heavy loads. Currently, trying this won't help at all because adaptive voltage sets too high voltage for all previous frequencies too. I'm just an enthusiast and I have no idea if this idea can actually be implemented or not. It's just a theory that struck my mind. What do you all think? Would this allow much more flexibility when overclocking?