[[!meta title="tinc from behind a masquerading firewall"]] ## Example: tinc from behind a masquerading firewall When running tinc from behind a masquerading firewall (not on the firewall itself), one must be careful to configure the firewall so that it allows the tinc traffic to pass through without altering the source and destination ports. Example firewall rules are included in this example. They are written for iptables (Linux 2.4 firewall code), but commented so that you may apply the same kind of rules to other firewalls. [[!toc levels=2]] ### Overview [[!img examples/fig-firewall.png]] The network setup is as follows: * Internal network is 10.20.30.0/24 * Firewall IP is 123.234.123.1 on the outside, 10.20.30.1/24 on the inside. * Host running tinc has IP 10.20.30.42 * VPN the host wants to connect to has address range 192.168.0.0/16 * The host has it's own VPN IP 192.168.10.20 ### Configuration of the host running tinc host# ifconfig eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60 inet addr:10.20.30.42 Bcast:10.20.30.255 Mask:255.255.255.0 UP BROADCAST RUNNING MTU:1500 Metric:1 ... lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3856 Metric:1 ... vpn Link encap:Point-to-Point Protocol inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 ... host# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn default 10.20.30.1 0.0.0.0 UG 0 0 0 eth0 host# iptables -L -v Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) pkts bytes target prot opt in out source destination host# iptables -L -v -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination ### Configuration of tinc host# cat /etc/tinc/vpn/tinc.conf Name = atwork ConnectTo = home host# cat /etc/tinc/vpn/tinc-up #!/bin/sh ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0 host# ls /etc/tinc/vpn/hosts atwork home host# cat /etc/tinc/vpn/hosts/atwork Address = 123.234.123.1 Subnet = 192.168.10.20/32 -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY----- host# cat /etc/tinc/vpn/hosts/home Address = 200.201.202.203 Subnet = 192.168.1.0/24 -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY----- ### Configuration of the firewall firewall# ifconfig ppp0 Link encap:Point-to-Point Protocol inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 ... eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16 inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0 UP BROADCAST RUNNING MTU:1500 Metric:1 ... lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3856 Metric:1 ... firewall# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0 default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0 firewall# iptables -L -v Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 1234 packets, 123K bytes) pkts bytes target prot opt in out source destination 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) pkts bytes target prot opt in out source destination firewall# iptables -L -v -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1234 123K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:655 to:10.20.30.42:655 1234 123K DNAT udp -- ppp0 any anywhere anywhere udp dpt:655 to:10.20.30.42:655 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination firewall# cat /etc/init.d/firewall #!/bin/sh echo 1 >/proc/sys/net/ipv4/ip_forward iptables -P FORWARD DROP iptables -F FORWARD iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24 iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24 iptables -t nat -F POSTROUTING # Next rule prevents masquerading from altering source port of outbound tinc packets iptables -t nat -A POSTROUTING -p udp -m udp --sport 655 -j MASQUERADE -o ppp0 --to-ports 655 iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0 iptables -t nat -F PREROUTING # Next two rules forward incoming tinc packets to the host behind the firewall running tinc iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to 10.20.30.42:655 iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to 10.20.30.42:655