Can't connect to access point because of iptables/filter

Question

Setup

Raspberry Pi connected to router using ethernet on subnet 192.168.0.0/24

Raspberry pi access point on subnet 192.168.43.0/24

I am using the nordvpn application and when I connect to the vpn it applies a filter on my network:

Problem

After this filter is applied I cannot connect to my access point. It fails to obtain IP. I tried to whitelist port 68 and 69 but that that didn't work. What exactly is causing this in the filter?

I also tried

sudo iptables -A INPUT -s 192.168.43.0/24 -j ACCEPT

Filter:

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 165.231.253.11/32 -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 165.231.253.11/32 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 165.231.253.11/32 -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 165.231.253.11/32 -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.8.0.0/24 -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 66:68 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 66:68 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 74 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 74 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 5400 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i lo -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 66:68 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 66:68 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 74 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 74 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 66:68 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 66:68 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 74 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 74 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i wlan0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -d 103.86.99.99/32 -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 103.86.96.96/32 -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 103.86.99.99/32 -o tun0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 103.86.96.96/32 -o tun0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -d 165.231.253.11/32 -o lo -j ACCEPT
-A OUTPUT -d 127.0.0.0/8 -o lo -j ACCEPT
-A OUTPUT -d 165.231.253.11/32 -o eth0 -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o eth0 -j ACCEPT
-A OUTPUT -d 165.231.253.11/32 -o wlan0 -j ACCEPT
-A OUTPUT -d 192.168.43.0/24 -o wlan0 -j ACCEPT
-A OUTPUT -d 165.231.253.11/32 -o tun0 -j ACCEPT
-A OUTPUT -d 10.8.0.0/24 -o tun0 -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o lo -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o eth0 -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o wlan0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT

Tshark output when unable to connect:

Capturing on 'wlan0'
1 0.000000000 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25
2 6.347075913 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 113 Key (Message 1 of 4)
3 6.405992489 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 135 Key (Message 2 of 4)
4 6.407274309 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 169 Key (Message 3 of 4)
5 6.419174541 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 113 Key (Message 4 of 4)
6 6.664258217           :: → ff02::1:ffd6:ea23 ICMPv6 78 Neighbor Solicitation for fe80::8109:8fd:40d6:ea23
7 6.664945194           :: → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
8 6.829452451      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
9 7.477149785           :: → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
10 7.550230284 fe80::8109:8fd:40d6:ea23 → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
11 7.550522158 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25
12 7.600963546 fe80::8109:8fd:40d6:ea23 → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
13 7.828222369      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
14 10.038442823      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
15 10.834140206      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
16 11.647401711 fe80::8109:8fd:40d6:ea23 → ff02::fb     MDNS 188 Standard query 0x0004 PTR _%9E5E7C8F47989526C9BCD95D24084F6F0B27C5ED._sub._googlecast._tcp.local, "QM" question PTR _674A0243._sub._googlecast._tcp.local, "QM" question PTR _8E6C866D._sub._googlecast._tcp.local, "QM" question PTR _googlecast._tcp.local, "QM" question
17 11.678040125 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25
18 11.925494678      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
19 13.987335051      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
20 18.262242160      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
21 20.190157358 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25
22 26.466357444      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
23 31.555321065 fe80::8109:8fd:40d6:ea23 → ff02::fb     MDNS 188 Standard query 0x0005 PTR _%9E5E7C8F47989526C9BCD95D24084F6F0B27C5ED._sub._googlecast._tcp.local, "QM" question PTR _674A0243._sub._googlecast._tcp.local, "QM" question PTR _8E6C866D._sub._googlecast._tcp.local, "QM" question PTR _googlecast._tcp.local, "QM" question
24 37.119574254 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25

When I allow all traffic using sudo iptables -P INPUT ACCEPT I can connect with output:

Capturing on 'wlan0'
1 0.000000000 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 113 Key (Message 1 of 4)
2 0.482149729 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 135 Key (Message 2 of 4)
3 0.483485507 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 169 Key (Message 3 of 4)
4 0.497073903 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 113 Key (Message 4 of 4)
5 0.571571905           :: → ff02::1:ffd6:ea23 ICMPv6 78 Neighbor Solicitation for fe80::8109:8fd:40d6:ea23
6 0.572910963           :: → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
7 0.720530878      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0x1352b3f1
8 0.721546604 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP Offer    - Transaction ID 0x1352b3f1
9 0.733148079      0.0.0.0 → 255.255.255.255 DHCP 350 DHCP Request  - Transaction ID 0x1352b3f1
10 0.812064714 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP ACK      - Transaction ID 0x1352b3f1
11 0.843515868 192.168.43.206 → 224.0.0.251  MDNS 82 Standard query 0x0000 PTR _googlecast._tcp.local, "QU" question
12 0.843790867 fe80::8109:8fd:40d6:ea23 → ff02::fb     MDNS 102 Standard query 0x0000 PTR _googlecast._tcp.local, "QU" question
13 0.846673931           :: → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
14 0.846747733 192.168.43.206 → 224.0.0.251  IGMPv2 46 Membership Report group 224.0.0.251
15 1.124610012 SamsungE_6f:a4:25 → Broadcast    ARP 42 Who has 192.168.43.1? Tell 192.168.43.206
16 1.124698866 Raspberr_55:bd:9f → SamsungE_6f:a4:25 ARP 42 192.168.43.1 is at b8:27:eb:55:bd:9f
17 1.229109485 192.168.43.206 → 192.168.43.1 DNS 89 Standard query 0xbaa1 A connectivitycheck.gstatic.com
18 1.235744361           :: → ff02::16     ICMPv6 90 Multicast Listener Report Message v2
19 1.236032745 192.168.43.206 → 192.168.43.1 DNS 76 Standard query 0xf06b A mtalk.google.com
20 1.244731521 192.168.43.206 → 192.168.43.1 DNS 82 Standard query 0xc1c5 A mqtt-mini.facebook.com
21 1.257354868 192.168.43.206 → 31.13.79.32  TCP 74 51440 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=140302950 TSecr=0 WS=128
22 1.298846721 192.168.43.1 → 192.168.43.206 DNS 547 Standard query response 0xbaa1 A connectivitycheck.gstatic.com A 74.125.130.94 NS c.gtld-servers.net NS d.gtld-servers.net NS a.gtld-servers.net NS k.gtld-servers.net NS j.gtld-servers.net NS b.gtld-servers.net NS h.gtld-servers.net NS g.gtld-servers.net NS m.gtld-servers.net NS l.gtld-servers.net NS i.gtld-servers.net NS f.gtld-servers.net NS e.gtld-servers.net A 192.5.6.30 AAAA 2001:503:a83e::2:30 A 192.33.14.30 AAAA 2001:503:231d::2:30 A 192.26.92.30 AAAA 2001:503:83eb::30 A 192.31.80.30 AAAA 2001:500:856e::30 A 192.12.94.30
23 1.304225715 192.168.43.1 → 192.168.43.206 DNS 545 Standard query response 0xf06b A mtalk.google.com CNAME mobile-gtalk.l.google.com A 74.125.24.188 NS b.gtld-servers.net NS m.gtld-servers.net NS g.gtld-servers.net NS k.gtld-servers.net NS f.gtld-servers.net NS e.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS a.gtld-servers.net NS c.gtld-servers.net NS l.gtld-servers.net NS h.gtld-servers.net NS d.gtld-servers.net A 192.5.6.30 AAAA 2001:503:a83e::2:30 A 192.33.14.30 AAAA 2001:503:231d::2:30 A 192.26.92.30 AAAA 2001:503:83eb::30 A 192.31.80.30 AAAA 2001:500:856e::30
24 1.318067391 192.168.43.1 → 192.168.43.206 DNS 551 Standard query response 0xc1c5 A mqtt-mini.facebook.com CNAME mqtt-mini.c10r.facebook.com A 157.240.13.32 NS b.gtld-servers.net NS l.gtld-servers.net NS j.gtld-servers.net NS d.gtld-servers.net NS e.gtld-servers.net NS i.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS a.gtld-servers.net NS m.gtld-servers.net NS h.gtld-servers.net NS k.gtld-servers.net NS c.gtld-servers.net A 192.5.6.30 AAAA 2001:503:a83e::2:30 A 192.33.14.30 AAAA 2001:503:231d::2:30 A 192.26.92.30 AAAA 2001:503:83eb::30 A 192.31.80.30 AAAA 2001:500:856e::30
25 1.325372213  31.13.79.32 → 192.168.43.206 TCP 74 443 → 51440 [SYN, ACK] Seq=0 Ack=1 Win=27360 Len=0 MSS=1380 SACK_PERM=1 TSval=2348760415 TSecr=140302950 WS=128
26 1.415381418 192.168.43.206 → 224.0.0.251  MDNS 119 Standard query 0x0001 PTR _674A0243._sub._googlecast._tcp.local, "QU" question PTR _8E6C866D._sub._googlecast._tcp.local, "QU" question PTR _googlecast._tcp.local, "QU" question
27 1.415628604 192.168.43.206 → 224.0.0.251  MDNS 119 Standard query 0x0001 PTR _674A0243._sub._googlecast._tcp.local, "QU" question PTR _8E6C866D._sub._googlecast._tcp.local, "QU" question PTR _googlecast._tcp.local, "QU" question
28 1.419159739 192.168.43.206 → 31.13.79.32  TCP 66 51440 → 443 [ACK] Seq=1 Ack=1 Win=87680 Len=0 TSval=140302990 TSecr=2348760415
29 1.424759566 192.168.43.206 → 224.0.0.251  MDNS 125 Standard query 0x0000 ANY Android-2.local, "QU" question ANY Android-2.local, "QU" question A 192.168.43.206 AAAA fe80::8109:8fd:40d6:ea23
30 1.429030595 fe80::8109:8fd:40d6:ea23 → ff02::fb     MDNS 145 Standard query 0x0000 ANY Android-2.local, "QU" question ANY Android-2.local, "QU" question A 192.168.43.206 AAAA fe80::8109:8fd:40d6:ea23
 31 1.429408823 192.168.43.206 → 31.13.79.32  TLSv1 235 Client Hello
32 1.444965025 192.168.43.206 → 192.168.43.1 DNS 74 Standard query 0xa640 A www.google.com

Welcome to Server Fault! Please read the [help pages](https://serverfault.com/help), take the [SF tour](https://serverfault.com/tour), read about [how to ask good questions](https://stackoverflow.com/help/how-to-ask), as well as this [question checklist](https://codeblog.jonskeet.uk/2012/11/24/stack-overflow-question-checklist/). [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol) is UDP 67/68, not 68/69 or TCP, which may be your problem. — Ross Jacobs, Oct 17 '19 at 18:32
Can you provide a link to a packet capture taken on the device? — Ross Jacobs, Oct 19 '19 at 04:15
Also, if you change the rules to accept all, do you still have the issue? — Ross Jacobs, Oct 19 '19 at 08:39
Please check the edits. Yes I can connect after using this - sudo iptables -P INPUT ACCEPT. I am using Pi-hole FTL now which uses port 53. I have whitelisted that too. — Sap, Oct 20 '19 at 11:10
Please get the output of iptables again and replace the current one. Current output still has 68/69 for dhcp which is incorrect. — Ross Jacobs, Oct 29 '19 at 16:58

score 0 · Accepted Answer · answered Oct 31 '19 at 22:46

For clarity, let me point out that you are able to connect to your access point. Your issue appears to be that once connected, you can't obtain an IP address from your DHCP server. You can see this in the following portions of the first capture where your device is sending DHCP requests/discovers and there is no reply:

 8 6.829452451      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
13 7.828222369      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
14 10.038442823      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
15 10.834140206      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e

When it is working, you clearly see the replies from the server:

7 0.720530878      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0x1352b3f1
8 0.721546604 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP Offer    - Transaction ID 0x1352b3f1
9 0.733148079      0.0.0.0 → 255.255.255.255 DHCP 350 DHCP Request  - Transaction ID 0x1352b3f1
10 0.812064714 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP ACK      - Transaction ID 0x1352b3f1

If you take note of the source address in the capture, your DHCP client doesn't have a source IP address. Before your client has completed the DHCP process, it doesn't have an IP address and the RFC specifically state:

DHCP messages broadcast by a client prior to that client obtaining its IP address must have the source address field in the IP header set to 0.

This also includes when an interface comes up initially, even if it has a valid lease. In this case it should send the DHCP request with a source address of all zeroes to check if the server still considers the lease valid (this is to avoid IP conflict).

As such, the following rules are your problem:

 -A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 66:68 -j ACCEPT
 -A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 66:68 -j ACCEPT

Remove them and replace them with the following and you should be set:

 -A INPUT -i wlan0 -p udp -m udp --dport 67:68 -j ACCEPT

Hi. It works! Thank you so much!! – Sap Nov 02 '19 at 14:20 — Sap, Nov 02 '19 at 14:20

Can't connect to access point because of iptables/filter

Setup

Problem

I also tried

1 Answers1