Firewall rules for TINC server

Guus Sliepen guus at tinc-vpn.org
Sun Jan 15 15:02:21 CET 2017


On Fri, Jan 13, 2017 at 06:53:07PM +0000, Guillermo Bisheimer wrote:

> I've setup a Tinc VPN for a bunch of nodes divided in two groups:
> 
> Group 1:
> IP Range 10.100.0.2 to 10.100.127.255
> 
> Group 2:
> IP Range 10.100.128.1 to 10.100.255.255
> 
> Server IP: 10.100.0.1

I would recommend running two tinc daemons on the server, one for each
group. That way, you don't have to use TunnelServer and Forwarding =
kernel.

> The problem is that I also need to isolate clients from group 1 from
> reaching the server, but found no way to do that yet.

If you use two tinc daemons, and then for group 1, you can add
"DeviceType = dummy" to the server's tinc.conf. That way the server
doesn't create a tun/tap interface at all, so it cannot send or receive
packets for that group.

> Tried with
> 
> sudo iptables -D INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP
> 
> but this only works for blocking ping but it doesn't stop curl or anything
> else.

That command works better with -A instead of -D. It should then drop
everything, not just ping packets, unless there is another rule earlier
in the INPUT chain that explicitly allows that traffic.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170115/7013ac52/attachment.sig>


More information about the tinc mailing list