LocalDiscovery detecting nodes through tunnel

Lance Fredrickson lancethepants at gmail.com
Fri Apr 5 01:59:18 CEST 2013 

My iptables statements are trying to identify the packets to DROP.  The
rules should be identifying those Tinc broadcast packets that are destined
for the VPN.  They need to match the tap interface Tinc is using, and the
port that it uses to broadcast the Local Discovery.
These rules really should go in your tinc-up configuration.  We can replace
tap0 (or whatever Tinc decided to use) with the $INTERFACE variable, and
tinc will take care of applying these  rules to that interface. These will
then automatically applied whenever Tinc is run.  What port is Tinc using
to broadcast the Local Discovery?  Replace ### with the port number.

iptables -I INPUT --in-interface $INTERFACE -m pkttype --pkt-type broadcast
--dport ### -j DROP
iptables -I FORWARD --in-interface $INTERFACE -m pkttype --pkt-type
broadcast --dport ### -j DROP
iptables -I FORWARD --out-interface $INTERFACE -m pkttype --pkt-type
broadcast --dport ### -j DROP
iptables -I OUTPUT --out-interface $INTERFACE -m pkttype --pkt-type
broadcast --dport ### -j DROP

Admittedly, I am not as familiar with netfilter as ebtables.  I found this
example from this site, saying this will block all broadcast
packets, obviously on INPUT.
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html

iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP

>From here I modified it to DROP packets that we don't want to enter or
leave the VPN interface.  I haven't tested its functionality other
than to ensure that my syntax is correct, and that iptables will
accept it.  I removed -p udp,as that should be redundant anyway.



On Thu, Apr 4, 2013 at 5:02 PM, Dominik George <nik at naturalnet.de> wrote:

> Hi,
>
> > What are your current set of firewall rules you are currently using?
>
> What I am using is exactly what you proposed, with all policies being
> ACCEPT.
>
> I assume that the discovery broadcasts would be mentioned in Tinc's
> debug output - at debug level 5, I do not see anything about it. That's
> why I concluded they aren't sent.
>
> -nik
>
> --
> * mirabilos is handling my post-1990 smartphone *
> <mirabilos> Aaah, it vibrates! Wherefore art thou, demonic device??
>
> 2013-05-19 - 05-21  Geocaching-Tour        Hamburg    (2 Betten frei)
> 2013-06-28 - 06-30  http://project-eck.de  Koblenz
> 2013-08-01 - 08-04  http://berlin-mega.de  Berlin     (2 Betten frei)
> 2013-08-28 - 09-02  http://prora2013.de    Rügen
> 2013-12-27 - 12-31  30c3                   Hamburg    (2 Betten frei)
>
> PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130404/f81e9b06/attachment.html>

More information about the tinc mailing list