Disallow binding via tinc
Niklas Hambüchen
mail at nh2.me
Sat Jan 28 05:37:31 CET 2017
OK, looks like iptables it is then.
I found that the tinc-up script is a convenient place to put this, and
with newer iptables's `--check` feature, we can ensure that the rule
isn't added more than once when tinc is restarted.
So I'm currently using in there something like:
iptables --check INPUT -i tun0benacovpn -m state --state
RELATED,ESTABLISHED -j ACCEPT ||
iptables --append INPUT -i tun0benacovpn -m state --state
RELATED,ESTABLISHED -j ACCEPT
ip6tables --check INPUT -i tun0benacovpn -m state --state
RELATED,ESTABLISHED -j ACCEPT ||
ip6tables --append INPUT -i tun0benacovpn -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables --check INPUT -i tun0benacovpn -j REJECT --reject-with
icmp-port-unreachable ||
iptables --append INPUT -i tun0benacovpn -j REJECT --reject-with
icmp-port-unreachable
ip6tables --check INPUT -i tun0benacovpn -j REJECT --reject-with
icmp6-port-unreachable ||
ip6tables --append INPUT -i tun0benacovpn -j REJECT --reject-with
icmp6-port-unreachable
Thanks for your hints!
On 27/01/17 17:33, Guus Sliepen wrote:
> Otherwise, the best option is to add firewall rules that disallow any
> new incoming connections from the VPN interface, but still allow
> outgoing connections. Example commands to do this:
>
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i <VPN interface> -j DROP
>
> Don't forget about IPv6, where you have to add similar rules.
More information about the tinc
mailing list