X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=examples%2Fmasquerading-firewall.mdwn;fp=examples%2Fmasquerading-firewall.mdwn;h=63377c1c7765db4525bd9c9b466d0ef27b4e1da8;hb=7c74a57cd95cfc0358fdd5980d9170ea16751dfb;hp=0000000000000000000000000000000000000000;hpb=f980b3945271b51a8a200c44b8d3e7d61d086bab;p=wiki

diff --git a/examples/masquerading-firewall.mdwn b/examples/masquerading-firewall.mdwn
new file mode 100644
index 0000000..63377c1
--- /dev/null
+++ b/examples/masquerading-firewall.mdwn
@@ -0,0 +1,167 @@
+[[!meta title="tinc from behind a masquerading firewall"]]
+
+## Example: tinc from behind a masquerading firewall
+
+When running tinc from behind a masquerading firewall (not on the firewall
+itself), one must be careful to configure the firewall so that it allows the
+tinc traffic to pass through without altering the source and destination ports.
+Example firewall rules are included in this example. They are written for
+iptables (Linux 2.4 firewall code), but commented so that you may apply the
+same kind of rules to other firewalls. 
+
+[[!toc levels=2]]
+
+### Overview
+
+[[!img examples/fig-firewall.png]]
+
+The network setup is as follows:
+
+* Internal network is 10.20.30.0/24
+* Firewall IP is 123.234.123.1 on the outside, 10.20.30.1/24 on the inside.
+* Host running tinc has IP 10.20.30.42
+* VPN the host wants to connect to has address range 192.168.0.0/16
+* The host has it's own VPN IP 192.168.10.20 
+
+### Configuration of the host running tinc
+
+>     host# ifconfig
+>     eth0      Link encap:Ethernet  HWaddr 00:20:30:40:50:60
+>               inet addr:10.20.30.42  Bcast:10.20.30.255  Mask:255.255.255.0
+>               UP BROADCAST RUNNING  MTU:1500  Metric:1
+>               ...
+>     
+>     lo        Link encap:Local Loopback
+>               inet addr:127.0.0.1  Mask:255.0.0.0
+>               UP LOOPBACK RUNNING  MTU:3856  Metric:1
+>               ...
+>     
+>     vpn       Link encap:Point-to-Point Protocol
+>               inet addr:192.168.10.20  P-t-P:192.168.10.20  Mask:255.255.0.0
+>               UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
+>               ...
+>     
+>     host# route
+>     Kernel IP routing table
+>     Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
+>     10.20.30.0      *               255.255.255.0   U     0      0        0 eth0
+>     192.168.0.0     *               255.255.0.0     U     0      0        0 vpn
+>     default         10.20.30.1      0.0.0.0         UG    0      0        0 eth0
+>     
+>     host# iptables -L -v
+>     Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
+>      pkts bytes target     prot opt in     out     source               destination
+>     
+>     Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+>      pkts bytes target     prot opt in     out     source               destination
+>     
+>     Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
+>      pkts bytes target     prot opt in     out     source               destination
+>     
+>     host# iptables -L -v -t nat
+>     Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
+>      pkts bytes target     prot opt in     out     source               destination
+>     
+>     Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
+>      pkts bytes target     prot opt in     out     source               destination
+>     
+>     Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+>      pkts bytes target     prot opt in     out     source               destination
+
+### Configuration of tinc
+
+>     host# cat /etc/tinc/vpn/tinc.conf
+>     Name = atwork
+>     Device = /dev/tun
+>     ConnectTo = home
+>     
+>     host# cat /etc/tinc/vpn/tinc-up
+>     #!/bin/sh
+>     
+>     ifconfig vpn 192.168.10.20 netmask 255.255.0.0
+>     
+>     host# ls /etc/tinc/vpn/hosts
+>     atwork  home
+>     
+>     host# cat /etc/tinc/vpn/hosts/atwork
+>     Address = 123.234.123.1
+>     Subnet = 192.168.10.20/32
+>     -----BEGIN RSA PUBLIC KEY-----
+>     ...
+>     -----END RSA PUBLIC KEY-----
+>     
+>     host# cat /etc/tinc/vpn/hosts/home
+>     Address = 200.201.202.203
+>     Subnet = 192.168.1.0/24
+>     -----BEGIN RSA PUBLIC KEY-----
+>     ...
+>     -----END RSA PUBLIC KEY-----
+
+### Configuration of the firewall
+
+>     firewall# ifconfig
+>     ppp0      Link encap:Point-to-Point Protocol
+>               inet addr:123.234.123.1  P-t-P:123.234.120.1  Mask:255.255.255.255
+>               UP POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
+>               ...
+>     
+>     eth0      Link encap:Ethernet  HWaddr 00:20:13:14:15:16
+>               inet addr:10.20.30.1  Bcast:10.20.30.255  Mask:255.255.255.0
+>               UP BROADCAST RUNNING  MTU:1500  Metric:1
+>               ...
+>     
+>     lo        Link encap:Local Loopback
+>               inet addr:127.0.0.1  Mask:255.0.0.0
+>               UP LOOPBACK RUNNING  MTU:3856  Metric:1
+>               ...
+>     
+>     firewall# route
+>     Kernel IP routing table
+>     Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
+>     10.20.30.0      *               255.255.255.0   U     0      0        0 eth0
+>     default         123.234.120.1   0.0.0.0         UG    0      0        0 ppp0
+>     
+>     firewall# iptables -L -v
+>     Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
+>      pkts bytes target     prot opt in     out     source               destination
+>     
+>     Chain FORWARD (policy DROP 1234 packets, 123K bytes)
+>      pkts bytes target     prot opt in     out     source               destination
+>      1234  123K ACCEPT     any  --  ppp0   eth0    anywhere             10.20.30.0/24
+>      1234  123K ACCEPT     any  --  eth0   ppp0    10.20.30.0/24        anywhere
+>     
+>     Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
+>      pkts bytes target     prot opt in     out     source               destination
+>     
+>     firewall# iptables -L -v -t nat
+>     Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
+>      pkts bytes target     prot opt in     out     source               destination
+>      1234  123K DNAT       tcp  --  ppp0   any     anywhere             anywhere           tcp dpt:655 to:10.20.30.42:655
+>      1234  123K DNAT       udp  --  ppp0   any     anywhere             anywhere           udp dpt:655 to:10.20.30.42:655
+>     
+>     Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
+>      pkts bytes target     prot opt in     out     source               destination
+>      1234  123K MASQUERADE all  --  eth0   ppp0    anywhere             anywhere
+>     
+>     Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+>      pkts bytes target     prot opt in     out     source               destination
+>     
+>     firewall# cat /etc/init.d/firewall
+>     #!/bin/sh
+>     
+>     echo 1 >/proc/sys/net/ipv4/ip_forward
+>     
+>     iptables -P FORWARD DROP
+>     iptables -F FORWARD
+>     iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
+>     iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
+>     
+>     iptables -t nat -F POSTROUTING
+>     # Next rule prevents masquerading from altering source port of outbound tinc packets
+>     iptables -t nat -A POSTROUTING -p udp -m udp -sport 655 -j MASQUERADE -o ppp0 --to-ports 655
+>     iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0
+>     
+>     iptables -t nat -F PREROUTING
+>     # Next two rules forward incoming tinc packets to the host behind the firewall running tinc
+>     iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to 10.20.30.42:655
+>     iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to 10.20.30.42:655