firewalling / netfilter / iptables / tcpdump on the vpn
xavier
list.tinc at natch.dyndns.org
Mon May 8 16:23:10 CEST 2006
On Mon, May 08, 2006 at 09:31:15AM -0400, Russell Handorf wrote:
> Use the FORWARD rule.
yes, of course, sorry for not mentionning that.
like i said tcpdump -i vpn1 -n didn't show anything going from host a to b
and iptables -I FORWARD -j LOG didn't show anything going from host a to b either.
firewall on the FORWARD rule between the vpn1 interface and any other interface is working
great, but i want to firewall packets on the vpn.
> If you have the interfaces bridged, you'll need to
> use the firewalling support for bridging option.
the vpn mode is "router";
on the vpn server i have only one physical interface, eth0.
i have no interfaces bridged. (maybe vpn1 is a bridged interface ?)
what interfaces bridged are we talking about ?
what should i do to be able to see traffic between host a and b when i'm tcpdump on interface vpn1 on the
vpn server ?
thanks
>
> r
>
> xavier wrote:
> >Hi !
> >
> >I tried tinc, i'm very happy with it ;
> >however, i have difficulties firewalling on the vpn itself ;
> >here is my situation and what i'm experiencing:
> >
> >
> >
> >hosta ----|
> > vpn server
> >hostb ----|
> >
> >
> >my interface is named vpn1
> >
> >i can firewall connexions starting from host a and b to the vpn server
> >(on the vpn server) (iptables -A INPUT -i vpn1 bla bla)
> >
> >i can firewall connexions starting from host a to host b (on host a and b)
> >
> >i can NOT firewall connexions starting from host a to host on the vpn
> >server.
> >
> >
> >actually, tcpdump report the same thing :
> >
> >i can't see the traffic between host a and b,
> >even if technically it's going through the vpn server (i can see the
> >encrypted traffic on eth0 of the vpn server)
> >
> >it's a problem when you want to rescrict access from the vpn server,
> >between 2 vpn hosts.
> >
> >
> >
> >any solution ?
> >
> >i guess i could create an interface for each host (vpnhosta,
> >vpnhostb...) but this would be a pain to manage.
> >
> >thanks
> >
> >
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://brouwer.uvt.nl/cgi-bin/mailman/listinfo/tinc
--
xavier
More information about the tinc
mailing list