Firewall rules for TINC server
Guus Sliepen
guus at tinc-vpn.org
Sun Jan 15 15:02:21 CET 2017
On Fri, Jan 13, 2017 at 06:53:07PM +0000, Guillermo Bisheimer wrote:
> I've setup a Tinc VPN for a bunch of nodes divided in two groups:
>
> Group 1:
> IP Range 10.100.0.2 to 10.100.127.255
>
> Group 2:
> IP Range 10.100.128.1 to 10.100.255.255
>
> Server IP: 10.100.0.1
I would recommend running two tinc daemons on the server, one for each
group. That way, you don't have to use TunnelServer and Forwarding =
kernel.
> The problem is that I also need to isolate clients from group 1 from
> reaching the server, but found no way to do that yet.
If you use two tinc daemons, and then for group 1, you can add
"DeviceType = dummy" to the server's tinc.conf. That way the server
doesn't create a tun/tap interface at all, so it cannot send or receive
packets for that group.
> Tried with
>
> sudo iptables -D INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP
>
> but this only works for blocking ping but it doesn't stop curl or anything
> else.
That command works better with -A instead of -D. It should then drop
everything, not just ping packets, unless there is another rule earlier
in the INPUT chain that explicitly allows that traffic.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170115/7013ac52/attachment.sig>
More information about the tinc
mailing list