1 [[!meta title="tinc on a masquerading firewall"]]
3 ## Example: tinc on a masquerading firewall
5 This example shows a setup with tinc running on a masquerading
6 firewall, allowing the private subnet behind the firewall to access
7 the VPN. Example firewall rules are included in this example. They
8 are written for iptables (Linux 2.4 firewall code), but commented
9 so that you may apply the same kind of rules to other firewalls.
15 [[!img examples/fig-on-firewall]]
17 The network setup is as follows:
19 * Internal network is 10.20.30.0/24
20 * Firewall IP is 123.234.123.1 on the outside, 10.20.30.1/24 on the inside.
21 * VPN the host wants to connect to has address range 10.20.0.0/16.
23 ### Configuration of the firewall running tinc
26 > ppp0 Link encap:Point-to-Point Protocol
27 > inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
28 > UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
31 > eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
32 > inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0
33 > UP BROADCAST RUNNING MTU:1500 Metric:1
36 > lo Link encap:Local Loopback
37 > inet addr:127.0.0.1 Mask:255.0.0.0
38 > UP LOOPBACK RUNNING MTU:3856 Metric:1
41 > vpn Link encap:Point-to-Point Protocol
42 > inet addr:10.20.30.1 P-t-P:10.20.30.1 Mask:255.255.0.0
43 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
47 > Kernel IP routing table
48 > Destination Gateway Genmask Flags Metric Ref Use Iface
49 > 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
50 > 10.20.0.0 * 255.255.0.0 U 0 0 0 vpn
51 > default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
53 > firewall# iptables -L -v
54 > Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
55 > pkts bytes target prot opt in out source destination
57 > Chain FORWARD (policy DROP 1234 packets, 123K bytes)
58 > pkts bytes target prot opt in out source destination
59 > 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24
60 > 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
61 > 1234 123K ACCEPT any -- vpn eth0 10.20.0.0/16 10.20.30.0/24
62 > 1234 123K ACCEPT any -- eth0 vpn 10.20.30.0/24 10.20.0.0/16
64 > Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
65 > pkts bytes target prot opt in out source destination
67 > firewall# iptables -L -v -t nat
68 > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
69 > pkts bytes target prot opt in out source destination
71 > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
72 > pkts bytes target prot opt in out source destination
73 > 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere
75 > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
76 > pkts bytes target prot opt in out source destination
78 > firewall# cat /etc/init.d/firewall
81 > echo 1 >/proc/sys/net/ipv4/ip_forward
83 > iptables -P FORWARD DROP
85 > iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
86 > iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
87 > iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 10.20.30.0/24
88 > iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 10.20.0.0/16
90 > iptables -t nat -F POSTROUTING
91 > iptables -t nat -A POSTROUTING -j MASQUERADE -i eth0 -o ppp0
93 ### Configuration of tinc
95 > firewall# cat /etc/tinc/vpn/tinc.conf
100 > firewall# cat /etc/tinc/vpn/tinc-up
103 > ifconfig vpn 10.20.30.1 netmask 255.255.0.0
105 > firewall# ls /etc/tinc/vpn/hosts
106 > office branch employee_smith employee_jones ...
108 > firewall# cat /etc/tinc/vpn/hosts/office
109 > Address = 123.234.123.1
110 > Subnet = 10.20.30.0/24
111 > -----BEGIN RSA PUBLIC KEY-----
113 > -----END RSA PUBLIC KEY-----
115 > firewall# cat /etc/tinc/vpn/hosts/branch
116 > Address = 123.234.213.129
117 > Subnet = 10.20.40.0/24
118 > -----BEGIN RSA PUBLIC KEY-----
120 > -----END RSA PUBLIC KEY-----
122 > firewall# cat /etc/tinc/vpn/hosts/employee_smith
123 > Address = 200.201.202.203
124 > Subnet = 10.20.50.1/32
125 > -----BEGIN RSA PUBLIC KEY-----
127 > -----END RSA PUBLIC KEY-----