Jump to content

iptables forwarding suddenly stopped working?

simon91
By simon91
in Networking
 Share
Posted

Hey,

 

I have a webserver on a home connection.
For public access, I use a VPS with a public IPv4 address that is connect via wireguard vpn.

 

The wireguard network is 192.168.99.0/24, the VPS is 192.168.99.1 and the webserver 192.168.99.4.

 

On the VPS, there are the following iptables rules, which forward all https traffic to the webserver. 

iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.99.4:443
iptables -t nat -A POSTROUTING -p tcp -d 192.168.99.4 --dport 443 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wg0 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT

 

This worked fine during the last months. But since a few days, I am no longer able to connect to the https website, the connection times out.  I have not changed anything on the system and also tried to restore backups with older versions. I also tried to use a different VPS.


The weird thing is, that I am still able to access the website using some specific servers from Mullvad VPN. But other home connections can't access the website.

When trying check-host.net, all servers report a timeout, except the Hong Kong one, which can access the website without any issues (also confirmed by access log).

I have not defined any blacklist for any ip ranges.

 

Normal http connections (same rules) work fine from anywhere.

 

Also, when investigating using tcpdump and wireshark, I notice that all connections, which time out, do arrive at the webserver.
But they don't appear in any access/error log. And wireshark shows lots of TCP retransmissions.

 

Does anyone have suggestions on how I could find the issue? I am really clueless right now...


Why are some ip ranges still able to access the website, while others aren't?... And why did the issues come out of nowhere?...
Could this be related to countermeasures against the current http2 rapid reset ddos attack and the way the tcp connections work?

PS I don't wan't to use a reverse proxy webserver on the VPS, since I want the encryption and certificates to stay on my trusted home server.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×