1 [[!meta title="tinc from behind a firewall"]]
3 ## Example: tinc from behind a firewall
5 When running tinc from behind a firewall (not on the firewall itself), one must
6 be careful to configure the firewall so that it allows the tinc traffic to pass
7 through. Example firewall rules are included in this example. They are written
8 for iptables (Linux 2.4 firewall code), but commented so that you may apply the
9 same kind of rules to other firewalls.
15 [[!img examples/fig-firewall.png]]
17 The network setup is as follows:
19 * Internal network is 123.234.123.0/24
20 * Firewall IP is 123.234.123.1
21 * Host running tinc has IP 123.234.123.42
22 * VPN the host wants to connect to has address range 192.168.0.0/16
23 * The host has it's own VPN IP 192.168.10.20
25 Note that the internal network has real Internet addresses, and is therefore
26 entirely accessible from the outside (except for the restrictions the firewall
27 places). If the internal network has private addresses refer to the
28 masquerading firewall example.
30 ### Configuration of the host running tinc
33 eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
34 inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0
35 UP BROADCAST RUNNING MTU:1500 Metric:1
38 lo Link encap:Local Loopback
39 inet addr:127.0.0.1 Mask:255.0.0.0
40 UP LOOPBACK RUNNING MTU:3856 Metric:1
43 vpn Link encap:Point-to-Point Protocol
44 inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0
45 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
49 Kernel IP routing table
50 Destination Gateway Genmask Flags Metric Ref Use Iface
51 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
52 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn
53 default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0
56 Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
57 pkts bytes target prot opt in out source destination
59 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
60 pkts bytes target prot opt in out source destination
62 Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
63 pkts bytes target prot opt in out source destination
65 host# iptables -L -v -t nat
66 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
67 pkts bytes target prot opt in out source destination
69 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
70 pkts bytes target prot opt in out source destination
72 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
73 pkts bytes target prot opt in out source destination
75 ### Configuration of tinc
77 host# cat /etc/tinc/vpn/tinc.conf
81 host# cat /etc/tinc/vpn/tinc-up
84 ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0
86 host# ls /etc/tinc/vpn/hosts
89 host# cat /etc/tinc/vpn/hosts/atwork
90 Address = 123.234.123.42
91 Subnet = 192.168.10.20/32
92 -----BEGIN RSA PUBLIC KEY-----
94 -----END RSA PUBLIC KEY-----
96 host# cat /etc/tinc/vpn/hosts/home
97 Address = 200.201.202.203
98 Subnet = 192.168.1.0/24
99 -----BEGIN RSA PUBLIC KEY-----
101 -----END RSA PUBLIC KEY-----
103 ### Configuration of the firewall
106 ppp0 Link encap:Point-to-Point Protocol
107 inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
108 UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
111 eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
112 inet addr:123.234.123.1 Bcast:123.234.123.255 Mask:255.255.255.0
113 UP BROADCAST RUNNING MTU:1500 Metric:1
116 lo Link encap:Local Loopback
117 inet addr:127.0.0.1 Mask:255.0.0.0
118 UP LOOPBACK RUNNING MTU:3856 Metric:1
122 Kernel IP routing table
123 Destination Gateway Genmask Flags Metric Ref Use Iface
124 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
125 default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
127 firewall# iptables -L -v
128 Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
129 pkts bytes target prot opt in out source destination
131 Chain FORWARD (policy DROP 1234 packets, 123K bytes)
132 pkts bytes target prot opt in out source destination
133 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 10.20.30.0/24 tcp flags:!SYN,RST,ACK/SYN
134 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
135 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 123.234.123.42 tcp dpt:655
136 1234 123K ACCEPT udp -- ppp0 eth0 anywhere 123.234.123.42 udp dpt:655
138 Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
139 pkts bytes target prot opt in out source destination
141 firewall# iptables -L -v -t nat
142 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
143 pkts bytes target prot opt in out source destination
145 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
146 pkts bytes target prot opt in out source destination
148 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
149 pkts bytes target prot opt in out source destination
151 firewall # cat /etc/init.d/firewall
154 echo 1 >/proc/sys/net/ipv4/ip_forward
156 iptables -P FORWARD DROP
158 iptables -A FORWARD -j ACCEPT -i ppp0 -d 10.20.30.0/24 -p tcp ! --syn
159 iptables -A FORWARD -j ACCEPT -i eth0 -s 10.20.30.0/24
160 iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p tcp --dport 655
161 iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p udp --dport 655