1 [[!meta title="tinc from behind a masquerading firewall"]]
3 ## Example: tinc from behind a masquerading firewall
5 When running tinc from behind a masquerading firewall (not on the firewall
6 itself), one must be careful to configure the firewall so that it allows the
7 tinc traffic to pass through without altering the source and destination ports.
8 Example firewall rules are included in this example. They are written for
9 iptables (Linux 2.4 firewall code), but commented so that you may apply the
10 same kind of rules to other firewalls.
16 [[!img examples/fig-firewall.png]]
18 The network setup is as follows:
20 * Internal network is 10.20.30.0/24
21 * Firewall IP is 123.234.123.1 on the outside, 10.20.30.1/24 on the inside.
22 * Host running tinc has IP 10.20.30.42
23 * VPN the host wants to connect to has address range 192.168.0.0/16
24 * The host has it's own VPN IP 192.168.10.20
26 ### Configuration of the host running tinc
29 > eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
30 > inet addr:10.20.30.42 Bcast:10.20.30.255 Mask:255.255.255.0
31 > UP BROADCAST RUNNING MTU:1500 Metric:1
34 > lo Link encap:Local Loopback
35 > inet addr:127.0.0.1 Mask:255.0.0.0
36 > UP LOOPBACK RUNNING MTU:3856 Metric:1
39 > vpn Link encap:Point-to-Point Protocol
40 > inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0
41 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
45 > Kernel IP routing table
46 > Destination Gateway Genmask Flags Metric Ref Use Iface
47 > 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
48 > 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn
49 > default 10.20.30.1 0.0.0.0 UG 0 0 0 eth0
51 > host# iptables -L -v
52 > Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
53 > pkts bytes target prot opt in out source destination
55 > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
56 > pkts bytes target prot opt in out source destination
58 > Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
59 > pkts bytes target prot opt in out source destination
61 > host# iptables -L -v -t nat
62 > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
63 > pkts bytes target prot opt in out source destination
65 > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
66 > pkts bytes target prot opt in out source destination
68 > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
69 > pkts bytes target prot opt in out source destination
71 ### Configuration of tinc
73 > host# cat /etc/tinc/vpn/tinc.conf
77 > host# cat /etc/tinc/vpn/tinc-up
80 > ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0
82 > host# ls /etc/tinc/vpn/hosts
85 > host# cat /etc/tinc/vpn/hosts/atwork
86 > Address = 123.234.123.1
87 > Subnet = 192.168.10.20/32
88 > -----BEGIN RSA PUBLIC KEY-----
90 > -----END RSA PUBLIC KEY-----
92 > host# cat /etc/tinc/vpn/hosts/home
93 > Address = 200.201.202.203
94 > Subnet = 192.168.1.0/24
95 > -----BEGIN RSA PUBLIC KEY-----
97 > -----END RSA PUBLIC KEY-----
99 ### Configuration of the firewall
102 > ppp0 Link encap:Point-to-Point Protocol
103 > inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
104 > UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
107 > eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
108 > inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0
109 > UP BROADCAST RUNNING MTU:1500 Metric:1
112 > lo Link encap:Local Loopback
113 > inet addr:127.0.0.1 Mask:255.0.0.0
114 > UP LOOPBACK RUNNING MTU:3856 Metric:1
118 > Kernel IP routing table
119 > Destination Gateway Genmask Flags Metric Ref Use Iface
120 > 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
121 > default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
123 > firewall# iptables -L -v
124 > Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
125 > pkts bytes target prot opt in out source destination
127 > Chain FORWARD (policy DROP 1234 packets, 123K bytes)
128 > pkts bytes target prot opt in out source destination
129 > 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24
130 > 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
132 > Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
133 > pkts bytes target prot opt in out source destination
135 > firewall# iptables -L -v -t nat
136 > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
137 > pkts bytes target prot opt in out source destination
138 > 1234 123K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:655 to:10.20.30.42:655
139 > 1234 123K DNAT udp -- ppp0 any anywhere anywhere udp dpt:655 to:10.20.30.42:655
141 > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
142 > pkts bytes target prot opt in out source destination
143 > 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere
145 > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
146 > pkts bytes target prot opt in out source destination
148 > firewall# cat /etc/init.d/firewall
151 > echo 1 >/proc/sys/net/ipv4/ip_forward
153 > iptables -P FORWARD DROP
154 > iptables -F FORWARD
155 > iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
156 > iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
158 > iptables -t nat -F POSTROUTING
159 > # Next rule prevents masquerading from altering source port of outbound tinc packets
160 > iptables -t nat -A POSTROUTING -p udp -m udp -sport 655 -j MASQUERADE -o ppp0 --to-ports 655
161 > iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0
163 > iptables -t nat -F PREROUTING
164 > # Next two rules forward incoming tinc packets to the host behind the firewall running tinc
165 > iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to 10.20.30.42:655
166 > iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to 10.20.30.42:655