Question concerning iptables and the example at tinc's homepage

Reil reil at gemeinde-berg.de
Mon Nov 28 17:21:27 CET 2005


Hi all,
hi Guus,

in july 2004 i received an e-mail from you concerning the way a 
packet takes across a (tinc)vpn:

> They are forwarded from eth0 to tap0, but the kernel doesn't know that
> tinc is forwarding them from tap0 to ippp0. So, the UDP and TCP
> packets that tinc sends will be seen by the OUTPUT chain instead of
> the FORWARD chain. At the other end, the received UDP and TCP packets
> will be seen by the INPUT chain. When tinc sends the packets to tap0,
> they will be forwarded to eth0 and then you should use the FORWARD
> chain again.

Now i'm confused because looking at 
http://www.tinc-vpn.org/examples/on-firewall
the example for the iptables rules is looking like this:

--- schnipp ---
...
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 
10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 
10.20.0.0/16
...
--- schnapp ---

I don't understand the first two ACCEPT rules. They allow every 
traffic from outside to inside and vice versa. Shouldn't there be any 
INPUT / OUTPUT rules ACCEPTing only TCP / UDP on port 655 instead of 
this two FORWARD rules?

Any hint would be appreciated...

Greetings,

Alexander Reil






-- 
Gemeinde Berg
Herr Reil
Telefon:   08151/508-41
Fax:       08151/508-88
E-Mail:    reil at gemeinde-berg.de



More information about the tinc mailing list