--- /dev/null
+[[!meta title="tinc from behind a masquerading firewall"]]
+
+## Example: tinc from behind a masquerading firewall
+
+When running tinc from behind a masquerading firewall (not on the firewall
+itself), one must be careful to configure the firewall so that it allows the
+tinc traffic to pass through without altering the source and destination ports.
+Example firewall rules are included in this example. They are written for
+iptables (Linux 2.4 firewall code), but commented so that you may apply the
+same kind of rules to other firewalls.
+
+[[!toc levels=2]]
+
+### Overview
+
+[[!img examples/fig-firewall.png]]
+
+The network setup is as follows:
+
+* Internal network is 10.20.30.0/24
+* Firewall IP is 123.234.123.1 on the outside, 10.20.30.1/24 on the inside.
+* Host running tinc has IP 10.20.30.42
+* VPN the host wants to connect to has address range 192.168.0.0/16
+* The host has it's own VPN IP 192.168.10.20
+
+### Configuration of the host running tinc
+
+> host# ifconfig
+> eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
+> inet addr:10.20.30.42 Bcast:10.20.30.255 Mask:255.255.255.0
+> UP BROADCAST RUNNING MTU:1500 Metric:1
+> ...
+>
+> lo Link encap:Local Loopback
+> inet addr:127.0.0.1 Mask:255.0.0.0
+> UP LOOPBACK RUNNING MTU:3856 Metric:1
+> ...
+>
+> vpn Link encap:Point-to-Point Protocol
+> inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0
+> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
+> ...
+>
+> host# route
+> Kernel IP routing table
+> Destination Gateway Genmask Flags Metric Ref Use Iface
+> 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
+> 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn
+> default 10.20.30.1 0.0.0.0 UG 0 0 0 eth0
+>
+> host# iptables -L -v
+> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
+> pkts bytes target prot opt in out source destination
+>
+> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+> pkts bytes target prot opt in out source destination
+>
+> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
+> pkts bytes target prot opt in out source destination
+>
+> host# iptables -L -v -t nat
+> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
+> pkts bytes target prot opt in out source destination
+>
+> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
+> pkts bytes target prot opt in out source destination
+>
+> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+> pkts bytes target prot opt in out source destination
+
+### Configuration of tinc
+
+> host# cat /etc/tinc/vpn/tinc.conf
+> Name = atwork
+> Device = /dev/tun
+> ConnectTo = home
+>
+> host# cat /etc/tinc/vpn/tinc-up
+> #!/bin/sh
+>
+> ifconfig vpn 192.168.10.20 netmask 255.255.0.0
+>
+> host# ls /etc/tinc/vpn/hosts
+> atwork home
+>
+> host# cat /etc/tinc/vpn/hosts/atwork
+> Address = 123.234.123.1
+> Subnet = 192.168.10.20/32
+> -----BEGIN RSA PUBLIC KEY-----
+> ...
+> -----END RSA PUBLIC KEY-----
+>
+> host# cat /etc/tinc/vpn/hosts/home
+> Address = 200.201.202.203
+> Subnet = 192.168.1.0/24
+> -----BEGIN RSA PUBLIC KEY-----
+> ...
+> -----END RSA PUBLIC KEY-----
+
+### Configuration of the firewall
+
+> firewall# ifconfig
+> ppp0 Link encap:Point-to-Point Protocol
+> inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
+> UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
+> ...
+>
+> eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
+> inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0
+> UP BROADCAST RUNNING MTU:1500 Metric:1
+> ...
+>
+> lo Link encap:Local Loopback
+> inet addr:127.0.0.1 Mask:255.0.0.0
+> UP LOOPBACK RUNNING MTU:3856 Metric:1
+> ...
+>
+> firewall# route
+> Kernel IP routing table
+> Destination Gateway Genmask Flags Metric Ref Use Iface
+> 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
+> default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
+>
+> firewall# iptables -L -v
+> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
+> pkts bytes target prot opt in out source destination
+>
+> Chain FORWARD (policy DROP 1234 packets, 123K bytes)
+> pkts bytes target prot opt in out source destination
+> 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24
+> 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
+>
+> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
+> pkts bytes target prot opt in out source destination
+>
+> firewall# iptables -L -v -t nat
+> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
+> pkts bytes target prot opt in out source destination
+> 1234 123K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:655 to:10.20.30.42:655
+> 1234 123K DNAT udp -- ppp0 any anywhere anywhere udp dpt:655 to:10.20.30.42:655
+>
+> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
+> pkts bytes target prot opt in out source destination
+> 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere
+>
+> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+> pkts bytes target prot opt in out source destination
+>
+> firewall# cat /etc/init.d/firewall
+> #!/bin/sh
+>
+> echo 1 >/proc/sys/net/ipv4/ip_forward
+>
+> iptables -P FORWARD DROP
+> iptables -F FORWARD
+> iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
+> iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
+>
+> iptables -t nat -F POSTROUTING
+> # Next rule prevents masquerading from altering source port of outbound tinc packets
+> iptables -t nat -A POSTROUTING -p udp -m udp -sport 655 -j MASQUERADE -o ppp0 --to-ports 655
+> iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0
+>
+> iptables -t nat -F PREROUTING
+> # Next two rules forward incoming tinc packets to the host behind the firewall running tinc
+> iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to 10.20.30.42:655
+> iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to 10.20.30.42:655