ipchains

Gillian gillianh at paper-graphics.com
Thu May 24 10:26:29 CEST 2001


Dear Tinc Experts,

I have been struggling for some time now, with Tinc pre3, and firewall
rulesets and routing. I did once manage to get Tinc to work okay in a
test-bed environment. I then tried to set it up for a 'real-life'
setup and cannot get it to work properly.

My real-life setup looks like this:


Network A:

192.168.1.0 / 255.255.255.0

192.168.1.7   tap1 device gateway  >
                                   >
192.168.1.3   eth0 gateway         >----  Firewall / NAT / Tinc box A
                                   >
62.49.252.50  eth1 gateway         >


Network B:

192.168.3.0 / 255.255.255.0

192.168.3.6   tap0 device gateway  >
                                   >
192.168.3.5   eth0 gateway         >----  Firewall / NAT / Tinc box B
                                   >
62.49.242.210 eth1 gateway         >


Here is the firewall ruleset (not working properly, as far as i can tell),
that is on Box A (similar firewall script on Box B). Note that I can get
boxes on subnet A pinging boxes on subnet B if I get rid of the firewall
script and set all the ipchains policies to ACCEPT. Pinging works, but I
couldn't get other things to go across the Tinc VPN link. (ftp, etc.)

/etc/rc.d/rc.firewall  -->

#!/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

extip="62.49.252.50"
extint="eth1"

intint="eth0"
intnet="192.168.1.0/24"

# MASQ Timeouts  ( 2 hours tcp session, 10 sec tcpfin, 60 sec udp )
ipchains -M -S 7200 10 60

# -----------------------------------
#  Incoming ipchains firewall rules:
# -----------------------------------
/sbin/ipchains -F input
/sbin/ipchains -P input REJECT

# local interface, local machines, going anywhere is valid
/sbin/ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT
# new tinc rules
/sbin/ipchains -A input -s $intnet -d 0.0.0.0/0 -i tap1 -j ACCEPT
/sbin/ipchains -A input -s 192.168.3.0/24 -d 0.0.0.0/0 -i tap1 -j ACCEPT
# remote interface, claiming to be local, via ip spoofing, get lost
/sbin/ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
# remote interface, any source, going to ext interface is valid
/sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
# loopback interface is valid
/sbin/ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch-all rule, all other incoming is denied and logged
/sbin/ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

# -----------------------------------
#  Outgoing ipchains firewall rules:
# -----------------------------------
/sbin/ipchains -F output
/sbin/ipchains -P output REJECT

# local interface, any source going to local net, is valid
/sbin/ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT
# new tinc rules
/sbin/ipchains -A output -i tap1 -d $intnet -j ACCEPT
/sbin/ipchains -A output -i tap1 -d 192.168.3.0/24 -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
/sbin/ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT
# outgoing from local net on remote interface, stuffed masquerading, deny
/sbin/ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
# anything else on the remote interface is valid
/sbin/ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
# loopback interface is valid
/sbin/ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch-all rule, all other outgoing is denied and logged
/sbin/ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

# -------------------------------------
#  Forwarding ipchains firewall rules:
# -------------------------------------
/sbin/ipchains -F forward
/sbin/ipchains -P forward DENY

# new tinc
/sbin/ipchains -A forward -i tap1 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT
/sbin/ipchains -A forward -i tap1 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT

# masquerade from local net on local interface to anywhere
/sbin/ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ
/sbin/ipchains -A forward -i $extint -s 194.128.68.0/24 -d 0.0.0.0/0 -j MASQ

# catch-all rule, all other forwarding is denied and logged
/sbin/ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

# End of firewall script
# -------------------------------------


/sbin/ipchains -L input -n -v        -->
Chain input (policy REJECT: 210392 packets, 52777660 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname  source                destination           ports
   56  7193 ACCEPT     all  ------ 0xFF 0x00  eth0    192.168.1.0/24       0.0.0.0/0             n/a
    0     0 ACCEPT     all  ------ 0xFF 0x00  tap1    192.168.1.0/24       0.0.0.0/0             n/a
    0     0 ACCEPT     all  ------ 0xFF 0x00  tap1    192.168.3.0/24       0.0.0.0/0             n/a
    0     0 REJECT     all  ----l- 0xFF 0x00  eth1    192.168.1.0/24       0.0.0.0/0             n/a
    2   266 ACCEPT     all  ------ 0xFF 0x00  eth1    0.0.0.0/0            62.49.252.50          n/a
    2   154 ACCEPT     all  ------ 0xFF 0x00  lo      0.0.0.0/0            0.0.0.0/0             n/a
    0     0 REJECT     all  ----l- 0xFF 0x00  *       0.0.0.0/0            0.0.0.0/0             n/a

/sbin/ipchains -L output -n -v       -->
Chain output (policy REJECT: 133548 packets, 43707305 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname  source                destination           ports
   39  2370 ACCEPT     all  ------ 0xFF 0x00  eth0    0.0.0.0/0            192.168.1.0/24        n/a
    0     0 ACCEPT     all  ------ 0xFF 0x00  tap1    0.0.0.0/0            192.168.1.0/24        n/a
    0     0 ACCEPT     all  ------ 0xFF 0x00  tap1    0.0.0.0/0            192.168.3.0/24        n/a
    0     0 REJECT     all  ----l- 0xFF 0x00  eth1    0.0.0.0/0            192.168.1.0/24        n/a
    0     0 REJECT     all  ----l- 0xFF 0x00  eth1    192.168.1.0/24       0.0.0.0/0             n/a
    2   142 ACCEPT     all  ------ 0xFF 0x00  eth1    62.49.252.50         0.0.0.0/0             n/a
    2   154 ACCEPT     all  ------ 0xFF 0x00  lo      0.0.0.0/0            0.0.0.0/0             n/a
    0     0 REJECT     all  ----l- 0xFF 0x00  *       0.0.0.0/0            0.0.0.0/0             n/a

/sbin/ipchains -L forward -n -v      -->
Chain forward (policy DENY: 1855 packets, 147806 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname  source                destination           ports
    0     0 ACCEPT     all  ------ 0xFF 0x00  tap1    192.168.1.0/24       192.168.3.0/24        n/a
    0     0 ACCEPT     all  ------ 0xFF 0x00  tap1    192.168.3.0/24       192.168.1.0/24        n/a
    0     0 MASQ       all  ------ 0xFF 0x00  eth1    192.168.1.0/24       0.0.0.0/0             n/a
    0     0 REJECT     all  ----l- 0xFF 0x00  *       0.0.0.0/0            0.0.0.0/0             n/a

/sbin/ifconfig                       -->
eth0      Link encap:Ethernet  HWaddr 00:06:29:05:58:07  
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2487570 errors:25 dropped:0 overruns:0 frame:30
          TX packets:881885 errors:1 dropped:0 overruns:0 carrier:1
          collisions:15289 txqueuelen:100 
          Interrupt:11 Base address:0x3100 

eth1      Link encap:Ethernet  HWaddr 00:E0:29:14:61:A5  
          inet addr:62.49.252.50  Bcast:62.49.252.63  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:535939 errors:0 dropped:0 overruns:0 frame:0
          TX packets:467370 errors:0 dropped:0 overruns:0 carrier:0
          collisions:96 txqueuelen:100 
          Interrupt:15 Base address:0x4800 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3924  Metric:1
          RX packets:46657 errors:0 dropped:0 overruns:0 frame:0
          TX packets:46657 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 

tap1      Link encap:Ethernet  HWaddr FE:FD:00:00:00:00  
          inet addr:192.168.1.7  Bcast:192.168.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:851 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1256 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          Interrupt:5 

/sbin/route -n                     --> 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.3     0.0.0.0         255.255.255.255 UH    0      0        0 eth0
62.49.252.50    0.0.0.0         255.255.255.255 UH    0      0        0 eth1
62.49.252.48    0.0.0.0         255.255.255.240 U     0      0        0 eth1
62.49.252.48    0.0.0.0         255.255.255.240 U     0      0        0 ipsec0
192.168.3.0     192.168.1.7     255.255.255.0   UG    0      0        0 tap1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
194.128.68.0    192.168.1.250   255.255.255.0   UG    0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.0.0     U     0      0        0 tap1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         62.49.252.49    0.0.0.0         UG    0      0        0 eth1

tail -20 /var/log/messages         -->
May 24 08:43:35 mailgate tinc.netscot[29567]: Sending packet of 100 bytes to sco
t (62.49.242.210)
May 24 08:43:35 mailgate tinc.netscot[29567]: Writing packet of 98 bytes to tap 
device
May 24 08:43:35 mailgate tinc.netscot[29567]: Sending packet of 128 bytes to sco
t (62.49.242.210)
May 24 08:43:35 mailgate kernel: Packet log: forward REJECT eth0 PROTO=1 192.168
.3.10:0 192.168.1.40:0 L=84 S=0x00 I=65049 F=0x0000 T=126 (#5) 
May 24 08:43:36 mailgate tinc.netscot[29567]: Sending packet of 100 bytes to sco
t (62.49.242.210)
May 24 08:43:36 mailgate tinc.netscot[29567]: Writing packet of 98 bytes to tap 
device
May 24 08:43:36 mailgate tinc.netscot[29567]: Sending packet of 128 bytes to sco
t (62.49.242.210)
May 24 08:43:36 mailgate kernel: Packet log: forward REJECT eth0 PROTO=1 192.168
.3.10:0 192.168.1.40:0 L=84 S=0x00 I=65305 F=0x0000 T=126 (#5) 


TINC SETTINGS ON VBOX MACHINE (62.49.252.50 & 192.168.1.3)

/usr/local/etc/tinc/netscot/tinc.conf
Name = vbox
Interface = eth0
TapDevice = /dev/tap1
PrivateKey = 7E...

/usr/local/etc/tinc/netscot/tinc-up
#!/bin/bash
/sbin/ifconfig tap1 hw ether fe:fd:00:00:00:00
/sbin/ifconfig tap1 192.168.1.7 broadcast 192.168.255.255 netmask 255.255.0.0

/usr/local/etc/tinc/netscot/tinc-down
#!/bin/bash
/sbin/ifconfig tap1 down

/usr/local/etc/tinc/netscot/hosts/scot
Address = 62.49.242.210
Subnet = 192.168.3.0/24
Port = 2003
PublicKey = FF...

/usr/local/etc/tinc/netscot/hosts/vbox
Address = 62.49.252.50
Subnet = 192.168.1.0/24
Port = 2003
PublicKey = 9E...

TINC SETTINGS ON SCOT MACHINE (62.49.242.210 & 192.168.3.5)

/usr/local/etc/tinc/tinc.conf
Name = scot
TapDevice = /dev/tap0
Interface = eth0
ConnectTo = vbox
PrivateKey = E1...

/usr/local/etc/tinc/tinc-up
#!/bin/bash
/sbin/ifconfig tap0 hw ether fe:fd:00:00:00:00
/sbin/ifconfig tap0 192.168.3.6 broadcast 192.168.255.255 netmask 255.255.0.0

/usr/local/etc/tinc/tinc-down
#!/bin/bash
/sbin/ifconfig tap0 down

/usr/local/etc/tinc/hosts/scot
Address = 62.49.242.210
Subnet = 192.168.3.0/24
Port = 2003
PublicKey = FF...

/usr/local/etc/tinc/hosts/vbox
Address = 62.49.252.50
Subnet = 192.168.1.0/24
Port = 2003
PublicKey = 9E...



I know that there must be something wrong with my firewall script, and there might also be
a problem with the tinc configuration. Can someone please help me to determine where the
problems are, and fix my setup. I am getting very close to my deadline for setting up a vpn
at work, and if someone can spot my mistake/s they could 'save my life'.

Thanks,
Gillian Hodgkinson.

-
Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://ftp.nl.linux.org/pub/linux/tinc/



More information about the Tinc mailing list