Disallow binding via tinc

Niklas Hambüchen mail at nh2.me
Sat Jan 28 05:37:31 CET 2017


OK, looks like iptables it is then.

I found that the tinc-up script is a convenient place to put this, and
with newer iptables's `--check` feature, we can ensure that the rule
isn't added more than once when tinc is restarted.

So I'm currently using in there something like:

iptables --check INPUT -i tun0benacovpn -m state --state
RELATED,ESTABLISHED -j ACCEPT ||
iptables --append INPUT -i tun0benacovpn -m state --state
RELATED,ESTABLISHED -j ACCEPT

ip6tables --check INPUT -i tun0benacovpn -m state --state
RELATED,ESTABLISHED -j ACCEPT ||
ip6tables --append INPUT -i tun0benacovpn -m state --state
RELATED,ESTABLISHED -j ACCEPT

iptables --check INPUT -i tun0benacovpn -j REJECT --reject-with
icmp-port-unreachable ||
iptables --append INPUT -i tun0benacovpn -j REJECT --reject-with
icmp-port-unreachable

ip6tables --check INPUT -i tun0benacovpn -j REJECT --reject-with
icmp6-port-unreachable ||
ip6tables --append INPUT -i tun0benacovpn -j REJECT --reject-with
icmp6-port-unreachable

Thanks for your hints!

On 27/01/17 17:33, Guus Sliepen wrote:
> Otherwise, the best option is to add firewall rules that disallow any
> new incoming connections from the VPN interface, but still allow
> outgoing connections. Example commands to do this:
> 
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i <VPN interface> -j DROP
> 
> Don't forget about IPv6, where you have to add similar rules.


More information about the tinc mailing list