X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=examples%2Fon-firewall.mdwn;h=c47ad41b003cf2be68b1c76877c8d8de562b4da5;hb=HEAD;hp=e2cce3faed542714fdddaf81e1e0a65e09f3c1d7;hpb=7c74a57cd95cfc0358fdd5980d9170ea16751dfb;p=wiki diff --git a/examples/on-firewall.mdwn b/examples/on-firewall.mdwn index e2cce3f..c47ad41 100644 --- a/examples/on-firewall.mdwn +++ b/examples/on-firewall.mdwn @@ -22,106 +22,106 @@ The network setup is as follows: ### Configuration of the firewall running tinc -> firewall# ifconfig -> ppp0 Link encap:Point-to-Point Protocol -> inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255 -> UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 -> ... -> -> eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16 -> inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0 -> UP BROADCAST RUNNING MTU:1500 Metric:1 -> ... -> -> lo Link encap:Local Loopback -> inet addr:127.0.0.1 Mask:255.0.0.0 -> UP LOOPBACK RUNNING MTU:3856 Metric:1 -> ... -> -> vpn Link encap:Point-to-Point Protocol -> inet addr:10.20.30.1 P-t-P:10.20.30.1 Mask:255.255.0.0 -> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 -> ... -> -> firewall# route -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0 -> 10.20.0.0 * 255.255.0.0 U 0 0 0 vpn -> default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0 -> -> firewall# iptables -L -v -> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) -> pkts bytes target prot opt in out source destination -> -> Chain FORWARD (policy DROP 1234 packets, 123K bytes) -> pkts bytes target prot opt in out source destination -> 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24 -> 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere -> 1234 123K ACCEPT any -- vpn eth0 10.20.0.0/16 10.20.30.0/24 -> 1234 123K ACCEPT any -- eth0 vpn 10.20.30.0/24 10.20.0.0/16 -> -> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) -> pkts bytes target prot opt in out source destination -> -> firewall# iptables -L -v -t nat -> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere -> -> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> firewall# cat /etc/init.d/firewall -> #!/bin/sh -> -> echo 1 >/proc/sys/net/ipv4/ip_forward -> -> iptables -P FORWARD DROP -> iptables -F FORWARD -> iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24 -> iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24 -> iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 10.20.30.0/24 -> iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 10.20.0.0/16 -> -> iptables -t nat -F POSTROUTING -> iptables -t nat -A POSTROUTING -j MASQUERADE -i eth0 -o ppp0 + firewall# ifconfig + ppp0 Link encap:Point-to-Point Protocol + inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255 + UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 + ... + + eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16 + inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0 + UP BROADCAST RUNNING MTU:1500 Metric:1 + ... + + lo Link encap:Local Loopback + inet addr:127.0.0.1 Mask:255.0.0.0 + UP LOOPBACK RUNNING MTU:3856 Metric:1 + ... + + vpn Link encap:Point-to-Point Protocol + inet addr:10.20.30.1 P-t-P:10.20.30.1 Mask:255.255.0.0 + UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 + ... + + firewall# route + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0 + 10.20.0.0 * 255.255.0.0 U 0 0 0 vpn + default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0 + + firewall# iptables -L -v + Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) + pkts bytes target prot opt in out source destination + + Chain FORWARD (policy DROP 1234 packets, 123K bytes) + pkts bytes target prot opt in out source destination + 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24 + 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere + 1234 123K ACCEPT any -- vpn eth0 10.20.0.0/16 10.20.30.0/24 + 1234 123K ACCEPT any -- eth0 vpn 10.20.30.0/24 10.20.0.0/16 + + Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) + pkts bytes target prot opt in out source destination + + firewall# iptables -L -v -t nat + Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere + + Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + firewall# cat /etc/init.d/firewall + #!/bin/sh + + echo 1 >/proc/sys/net/ipv4/ip_forward + + iptables -P FORWARD DROP + iptables -F FORWARD + iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24 + iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24 + iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 10.20.30.0/24 + iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 10.20.0.0/16 + + iptables -t nat -F POSTROUTING + iptables -t nat -A POSTROUTING -j MASQUERADE -i eth0 -o ppp0 ### Configuration of tinc -> firewall# cat /etc/tinc/vpn/tinc.conf -> Name = office -> Device = /dev/tun -> ConnectTo = branch -> -> firewall# cat /etc/tinc/vpn/tinc-up -> #!/bin/sh -> -> ifconfig vpn 10.20.30.1 netmask 255.255.0.0 -> -> firewall# ls /etc/tinc/vpn/hosts -> office branch employee_smith employee_jones ... -> -> firewall# cat /etc/tinc/vpn/hosts/office -> Address = 123.234.123.1 -> Subnet = 10.20.30.0/24 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- -> -> firewall# cat /etc/tinc/vpn/hosts/branch -> Address = 123.234.213.129 -> Subnet = 10.20.40.0/24 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- -> -> firewall# cat /etc/tinc/vpn/hosts/employee_smith -> Address = 200.201.202.203 -> Subnet = 10.20.50.1/32 -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- + firewall# cat /etc/tinc/vpn/tinc.conf + Name = office + ConnectTo = branch + Interface = vpn + + firewall# cat /etc/tinc/vpn/tinc-up + #!/bin/sh + + ifconfig $INTERFACE 10.20.30.1 netmask 255.255.0.0 + + firewall# ls /etc/tinc/vpn/hosts + office branch employee_smith employee_jones ... + + firewall# cat /etc/tinc/vpn/hosts/office + Address = 123.234.123.1 + Subnet = 10.20.30.0/24 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- + + firewall# cat /etc/tinc/vpn/hosts/branch + Address = 123.234.213.129 + Subnet = 10.20.40.0/24 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- + + firewall# cat /etc/tinc/vpn/hosts/employee_smith + Address = 200.201.202.203 + Subnet = 10.20.50.1/32 + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY-----