there is a handshake, but the traffic does not pass

Lighet1337 · November 18, 2024, 6:38pm

Routing problem
I used docker for automatic deployment, disabled firewall, clients connect, a tiny traffic of a couple of kilobytes passes and that’s all there is no Internet access, IP6 enabled, but external IP is only IP4
I’ve already tried everything, but I still don’t really understand where the problem is.

_Firezone Version - 0.7
_OS and version: CentOS 9 Stream
_Deployment method: Docker

[root@wgd ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT udp – anywhere 172.25.0.100 udp dpt:51820

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
[root@wgd ~]# sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
93 5593 DOCKER all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all – * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all – * !docker0 172.17.0.0/16 0.0.0.0/0
23 1449 MASQUERADE all – * !br-0130646a7239 172.25.0.0/16 0.0.0.0/0
0 0 MASQUERADE udp – * * 172.25.0.100 172.25.0.100 udp dpt:51820

Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all – docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all – br-0130646a7239 * 0.0.0.0/0 0.0.0.0/0
5 880 DNAT udp – !br-0130646a7239 * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 to:172.25.0.100:51820
[root@wgd ~]# cat /etc/docker/daemon.json
{
“ipv6”: true,
“ip6tables”: true,
“experimental”: true,
“fixed-cidr-v6”: “fcff:db8:1::/64”
}

[root@wgd ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
7a5b821a39d2 bridge bridge local
0130646a7239 firezone_firezone-network bridge local
850efb19cb02 host host local
910f051360f2 none null local
[root@wgd ~]# docker network inspect 013
[
{
“Name”: “firezone_firezone-network”,
“Id”: “0130646a7239bca2b3f15ec2651deb8fb0ee2d2a2003d2892260b0ae0dbaaff9”,
“Created”: “2024-11-14T14:43:01.253517337+01:00”,
“Scope”: “local”,
“Driver”: “bridge”,
“EnableIPv6”: true,
“IPAM”: {
“Driver”: “default”,
“Options”: null,
“Config”: [
{
“Subnet”: “172.25.0.0/16”,
“Gateway”: “172.25.0.1”
},
{
“Subnet”: “fcff:3990:3990::/64”,
“Gateway”: “fcff:3990:3990::1”
}
]
},
“Internal”: false,
“Attachable”: false,
“Ingress”: false,
“ConfigFrom”: {
“Network”: “”
},
“ConfigOnly”: false,
“Containers”: {
“0d40cf2bbc28653dfb0ad7abdb66cd36603926a4422d571b737ee7cd3d1d8876”: {
“Name”: “firezone-postgres-1”,
“EndpointID”: “c07761784767f0561f0e137119952781c25b900724d71ed72eb9525501d7e537”,
“MacAddress”: “02:42:ac:19:00:02”,
“IPv4Address”: “172.25.0.2/16”,
“IPv6Address”: “fcff:3990:3990::2/64”
},
“6c9c842893902dce8dab98f2450126bcb91656f3cdc0448bd44f2e694bd971c9”: {
“Name”: “firezone-firezone-1”,
“EndpointID”: “c5aee8174b35cff308fa10ea43f33fb3cdf79b33b31c4f434b9e9b64b1778d57”,
“MacAddress”: “02:42:ac:19:00:64”,
“IPv4Address”: “172.25.0.100/16”,
“IPv6Address”: “fcff:3990:3990::99/64”
}
},
“Options”: {},
“Labels”: {
“com.docker.compose.network”: “firezone-network”,
“com.docker.compose.project”: “firezone”,
“com.docker.compose.version”: “2.29.7”
}
}
]

[root@wgd ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 172.17.0.0/16 anywhere
MASQUERADE all – 172.25.0.0/16 anywhere
MASQUERADE udp – 172.25.0.100 172.25.0.100 udp dpt:51820

Chain DOCKER (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
DNAT udp – anywhere anywhere udp dpt:51820 to:172.25.0.100:51820

[root@wgd ~]# sudo ss -tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:51820 0.0.0.0:*
udp UNCONN 0 0 [::1]:323 [::]:*
udp UNCONN 0 0 :443 :
udp UNCONN 0 0 [::]:51820 [::]:
tcp LISTEN 0 128 0.0.0.0:1337 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:2019 0.0.0.0:*
tcp LISTEN 0 128 [::]:1337 [::]:*
tcp LISTEN 0 4096 *:443 :
tcp LISTEN 0 4096 *:80 :