1 [[!meta title="tinc from behind a firewall"]]
3 ## Example: tinc from behind a firewall
5 When running tinc from behind a firewall (not on the firewall itself), one must
6 be careful to configure the firewall so that it allows the tinc traffic to pass
7 through. Example firewall rules are included in this example. They are written
8 for iptables (Linux 2.4 firewall code), but commented so that you may apply the
9 same kind of rules to other firewalls.
15 [[!img examples/fig-firewall.png]]
17 The network setup is as follows:
19 * Internal network is 123.234.123.0/24
20 * Firewall IP is 123.234.123.1
21 * Host running tinc has IP 123.234.123.42
22 * VPN the host wants to connect to has address range 192.168.0.0/16
23 * The host has it's own VPN IP 192.168.10.20
25 Note that the internal network has real Internet addresses, and is therefore
26 entirely accessible from the outside (except for the restrictions the firewall
27 places). If the internal network has private addresses refer to the
28 masquerading firewall example.
30 ### Configuration of the host running tinc
33 > eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
34 > inet addr:123.234.123.42 Bcast:123.234.123.255 Mask:255.255.255.0
35 > UP BROADCAST RUNNING MTU:1500 Metric:1
38 > lo Link encap:Local Loopback
39 > inet addr:127.0.0.1 Mask:255.0.0.0
40 > UP LOOPBACK RUNNING MTU:3856 Metric:1
43 > vpn Link encap:Point-to-Point Protocol
44 > inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0
45 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
49 > Kernel IP routing table
50 > Destination Gateway Genmask Flags Metric Ref Use Iface
51 > 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
52 > 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn
53 > default 123.234.123.1 0.0.0.0 UG 0 0 0 eth0
55 > host# iptables -L -v
56 > Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
57 > pkts bytes target prot opt in out source destination
59 > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
60 > pkts bytes target prot opt in out source destination
62 > Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
63 > pkts bytes target prot opt in out source destination
65 > host# iptables -L -v -t nat
66 > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
67 > pkts bytes target prot opt in out source destination
69 > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
70 > pkts bytes target prot opt in out source destination
72 > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
73 > pkts bytes target prot opt in out source destination
75 ### Configuration of tinc
77 > host# cat /etc/tinc/vpn/tinc.conf
82 > host# cat /etc/tinc/vpn/tinc-up
85 > ifconfig vpn 192.168.10.20 netmask 255.255.0.0
87 > host# ls /etc/tinc/vpn/hosts
90 > host# cat /etc/tinc/vpn/hosts/atwork
91 > Address = 123.234.123.42
92 > Subnet = 192.168.10.20/32
93 > -----BEGIN RSA PUBLIC KEY-----
95 > -----END RSA PUBLIC KEY-----
97 > host# cat /etc/tinc/vpn/hosts/home
98 > Address = 200.201.202.203
99 > Subnet = 192.168.1.0/24
100 > -----BEGIN RSA PUBLIC KEY-----
102 > -----END RSA PUBLIC KEY-----
104 ### Configuration of the firewall
107 > ppp0 Link encap:Point-to-Point Protocol
108 > inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
109 > UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
112 > eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
113 > inet addr:123.234.123.1 Bcast:123.234.123.255 Mask:255.255.255.0
114 > UP BROADCAST RUNNING MTU:1500 Metric:1
117 > lo Link encap:Local Loopback
118 > inet addr:127.0.0.1 Mask:255.0.0.0
119 > UP LOOPBACK RUNNING MTU:3856 Metric:1
123 > Kernel IP routing table
124 > Destination Gateway Genmask Flags Metric Ref Use Iface
125 > 123.234.123.0 * 255.255.255.0 U 0 0 0 eth0
126 > default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
128 > firewall# iptables -L -v
129 > Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
130 > pkts bytes target prot opt in out source destination
132 > Chain FORWARD (policy DROP 1234 packets, 123K bytes)
133 > pkts bytes target prot opt in out source destination
134 > 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 10.20.30.0/24 tcp flags:!SYN,RST,ACK/SYN
135 > 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
136 > 1234 123K ACCEPT tcp -- ppp0 eth0 anywhere 123.234.123.42 tcp dpt:655
137 > 1234 123K ACCEPT udp -- ppp0 eth0 anywhere 123.234.123.42 udp dpt:655
139 > Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
140 > pkts bytes target prot opt in out source destination
142 > firewall# iptables -L -v -t nat
143 > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
144 > pkts bytes target prot opt in out source destination
146 > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
147 > pkts bytes target prot opt in out source destination
149 > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
150 > pkts bytes target prot opt in out source destination
152 > firewall # cat /etc/init.d/firewall
155 > echo 1 >/proc/sys/net/ipv4/ip_forward
157 > iptables -P FORWARD DROP
158 > iptables -F FORWARD
159 > iptables -A FORWARD -j ACCEPT -i ppp0 -d 10.20.30.0/24 -p tcp ! --syn
160 > iptables -A FORWARD -j ACCEPT -i eth0 -s 10.20.30.0/24
161 > iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p tcp --dport 655
162 > iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 123.234.132.42 -p udp --dport 655