1 [[!meta title="tinc from behind a firewall"]]
3 ## Example: tinc from behind a firewall
5 When running tinc from behind a firewall (not on the firewall itself), one must
6 be careful to configure the firewall so that it allows the tinc traffic to pass
7 through. Example firewall rules are included in this example. They are written
8 for iptables (Linux 2.4 firewall code), but commented so that you may apply the
9 same kind of rules to other firewalls.
15 [[!img examples/fig-firewall.png]]
17 The network setup is as follows:
19 * Internal network is 123.234.123.0/24
20 * Firewall IP is 123.234.123.1
21 * Host running tinc has IP 123.234.123.42
22 * VPN the host wants to connect to has address range 192.168.0.0/16
23 * The host has it's own VPN IP 192.168.10.20
25 Note that the internal network has real Internet addresses, and is therefore
26 entirely accessible from the outside (except for the restrictions the firewall
27 places). If the internal network has private addresses refer to the
28 masquerading firewall example.
30 ### Configuration of the host running tinc
33 > eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
34 > inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0
35 > UP BROADCAST RUNNING MTU:1500 Metric:1
38 > lo Link encap:Local Loopback
39 > inet addr:127.0.0.1 Mask:255.0.0.0
40 > UP LOOPBACK RUNNING MTU:3856 Metric:1
43 > vpn Link encap:Point-to-Point Protocol
44 > inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0
45 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
49 > Kernel IP routing table
50 > Destination Gateway Genmask Flags Metric Ref Use Iface
51 > 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
52 > 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn
53 > default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0
55 > host# iptables -L -v
56 > Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
57 > pkts bytes target prot opt in out source destination
59 > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
60 > pkts bytes target prot opt in out source destination
62 > Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
63 > pkts bytes target prot opt in out source destination
65 > host# iptables -L -v -t nat
66 > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
67 > pkts bytes target prot opt in out source destination
69 > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
70 > pkts bytes target prot opt in out source destination
72 > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
73 > pkts bytes target prot opt in out source destination
75 ### Configuration of tinc
77 > host# cat /etc/tinc/vpn/tinc.conf
81 > host# cat /etc/tinc/vpn/tinc-up
84 > ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0
86 > host# ls /etc/tinc/vpn/hosts
89 > host# cat /etc/tinc/vpn/hosts/atwork
90 > Address = 123.234.123.42
91 > Subnet = 192.168.10.20/32
92 > -----BEGIN RSA PUBLIC KEY-----
94 > -----END RSA PUBLIC KEY-----
96 > host# cat /etc/tinc/vpn/hosts/home
97 > Address = 200.201.202.203
98 > Subnet = 192.168.1.0/24
99 > -----BEGIN RSA PUBLIC KEY-----
101 > -----END RSA PUBLIC KEY-----
103 ### Configuration of the firewall
106 > ppp0 Link encap:Point-to-Point Protocol
107 > inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
108 > UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
111 > eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
112 > inet addr:123.234.123.1 Bcast:123.234.123.255 Mask:255.255.255.0
113 > UP BROADCAST RUNNING MTU:1500 Metric:1
116 > lo Link encap:Local Loopback
117 > inet addr:127.0.0.1 Mask:255.0.0.0
118 > UP LOOPBACK RUNNING MTU:3856 Metric:1
122 > Kernel IP routing table
123 > Destination Gateway Genmask Flags Metric Ref Use Iface
124 > 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
125 > default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
127 > firewall# iptables -L -v
128 > Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
129 > pkts bytes target prot opt in out source destination
131 > Chain FORWARD (policy DROP 1234 packets, 123K bytes)
132 > pkts bytes target prot opt in out source destination
133 > 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 10.20.30.0/24 tcp flags:!SYN,RST,ACK/SYN
134 > 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
135 > 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 123.234.123.42 tcp dpt:655
136 > 1234 123K ACCEPT udp -- ppp0 eth0 anywhere 123.234.123.42 udp dpt:655
138 > Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
139 > pkts bytes target prot opt in out source destination
141 > firewall# iptables -L -v -t nat
142 > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
143 > pkts bytes target prot opt in out source destination
145 > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
146 > pkts bytes target prot opt in out source destination
148 > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
149 > pkts bytes target prot opt in out source destination
151 > firewall # cat /etc/init.d/firewall
154 > echo 1 >/proc/sys/net/ipv4/ip_forward
156 > iptables -P FORWARD DROP
157 > iptables -F FORWARD
158 > iptables -A FORWARD -j ACCEPT -i ppp0 -d 10.20.30.0/24 -p tcp ! --syn
159 > iptables -A FORWARD -j ACCEPT -i eth0 -s 10.20.30.0/24
160 > iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p tcp --dport 655
161 > iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p udp --dport 655