Linux iptables and ZeroTier

Lalle75 · September 21, 2020, 5:44pm

Hi.
I’m new to VPN and was glad that ZeroTier was very easy to install and use. I connected several Windows PCs without any problem. But when I tried to connect to my Raspberry, every connection is rejected.

I found out, that the firewall (iptables) blocks the connection to the VPN. “zerotier-cli info” shows me OFFLINE, as soon as I start the iptables rules. I attached rules at the beginning of the chain to accept every incoming and outgoing connection from the IP range of the VPN(10.147.x.0). And I accept every connection from the virtual ZT interface.

But in the end every attempt to connect runs though the chain and is rejected. I read several HowTos, but they are all regarding the forwarding of communication and using the Raspberry as a kind of gateway.

But I just want to establish a connection to the Raspberry like to a normal computer. Any ideas?

Best regards,
Stefan

zt-travis · September 21, 2020, 6:54pm

Welcome. Post your rules if you like: iptables-save

You basically need all outgoing udp ports allowed, and 9993 udp in.

For the outgoing, you might be able to get the “owner” module of iptables to work. The installer creates a zerotier-one user on the system in most cases.

iptables -A OUTPUT -m owner --uid-owner 998 -j ACCEPT

Make sure your zerotier interfaces are allowed to talk too:

iptables -A INPUT -o zt+ -j ACCEPT

iptables -A OUTPUT -o zt+ -j ACCEPT

hope that helps

zt-travis · September 23, 2020, 2:49pm

5 posts were split to a new topic: Device stuck OFFLINE / TUNNELED

mike.adams · September 22, 2020, 1:12am

Alternative suggestion… https://www.raspberrypi.org/documentation/configuration/security.md gives some guidance on using ufw as a firewall. Maybe use that & allow port 9993 ?

Lalle75 · September 23, 2020, 7:01am

I reconstructed my iptables completely new and from the beginning.

My last config was enabling all IP addresses individually (e.g 192.168.0.55/32), also the VPN IPs. Now I opened the complete range (192.168.0.0/24 and 10.147.x.0/24).

There were some rules at the beginning I didn’t understand (:INPUT - [0:0]). I used a configuration app some years ago, and I think, there were some errors. I don’t know the meaning of the minus after INPUT.

Now I have default policies DROP and added chains for acceptance of x.x.x.0/24, the port 9993 and the virtual interface.

This works.Thanks to all.