tinc fails because of firewall script

Gillian gillianh at paper-graphics.com
Thu May 17 16:55:46 CEST 2001 

Hi Tinc Mailing-Group,

I am a bit stuck with firewalling rules at the moment. Maybe someone
could please advise me a good rc.firewall script to use on my setup.
If anyone runs an ipchains firewall script on their linux box which is
ALSO running tinc, could they please mail it to me, for my perusal.

I have tinc pre3 set up and working on my systems, however I can only
get it to work if I set the firewall to an 'ACCEPT' policy, which is
not a sensible way to run it.

Here is my scenario:


Subnet A:     192.168.1.0 / 255.255.255.0

LINUX BOX A is running BOTH the tincd AND the firewall -->

FIREWALL A :  Tap0 device on Subnet A:  192.168.1.7
FIREWALL A :  eth0 device on Subnet A:  192.168.1.3  (default gateway for
                                               masqueraded internet traffic)
FIREWALL A :  eth1 device on Internet:  62.1.1.50


Subnet B:     192.168.3.0 / 255.255.255.0

LINUX BOX B is running BOTH the tincd AND the firewall -->

FIREWALL B :  Tap0 device on Subnet B:  192.168.3.6
FIREWALL B :  eth0 device on Subnet B:  192.168.3.5  (default gateway for
                                               masqueraded internet traffic)
FIREWALL B :  eth1 device on Internet:  62.1.2.210


Here is a totally insecure firewall script that allows tinc to work:

ipchains -F input
ipchains -F output
ipchains -F forward
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT

Here is a secure firewall script (from Linux Box A) that stops tinc working:

#!/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# MASQ Timeouts  ( 2 hours tcp session, 10 sec tcpfin, 60 sec udp )
ipchains -M -S 7200 10 60

extip="62.1.1.50"
extint="eth1"

intint="eth0"
intnet="192.168.1.0/24"

#  Incoming ipchains firewall rules:
# -----------------------------------
/sbin/ipchains -F input
/sbin/ipchains -P input REJECT

# local interface, local machines, going anywhere is valid
/sbin/ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT
# tinc vpn incoming rules - allowing tinc access
/sbin/ipchains -A input -d $extip 665 -p tcp -j ACCEPT
/sbin/ipchains -A input -d $extip 665 -p udp -j ACCEPT
# remote interface, claiming to be local, via ip spoofing, get lost
/sbin/ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
# remote interface, any source, going to ext interface is valid
/sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
# loopback interface is valid
/sbin/ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch-all rule, all other incoming is denied and logged
/sbin/ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

#  Outgoing ipchains firewall rules:
# -----------------------------------
/sbin/ipchains -F output
/sbin/ipchains -P output REJECT

# local interface, any source going to local net, is valid
/sbin/ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT
# tinc vpn outgoing rules - allowing tinc access
/sbin/ipchains -A output -d 62.1.2.210 665 -p tcp -j ACCEPT 
/sbin/ipchains -A output -d 62.1.2.210 665 -p udp -j ACCEPT 
# outgoing to local net on remote interface, stuffed routing, deny
/sbin/ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT
# outgoing from local net on remote interface, stuffed masquerading, deny
/sbin/ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
# anything else on the remote interface is valid
/sbin/ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
# loopback interface is valid
/sbin/ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch-all rule, all other outgoing is denied and logged
/sbin/ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

#  Forwarding ipchains firewall rules:
# -------------------------------------
/sbin/ipchains -F forward
/sbin/ipchains -P forward DENY

# masquerade from local net on local interface to anywhere
/sbin/ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ
# tinc forwarding rules
/sbin/ipchains -A forward -i $extint -s 62.1.2.210/32 -d 0.0.0.0/0 -p tcp -j ACCEPT
/sbin/ipchains -A forward -i $extint -s 62.1.2.210/32 -d 0.0.0.0/0 -p udp -j ACCEPT
# catch-all rule, all other forwarding is denied and logged
/sbin/ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

# end of firewall script



With the 'secure' script running on both boxes or one box secured, and one box
open, the tinc vpn packets are 'rejected' by the 'secure' script, even though
I have tried to leave the secure script open for the packets that we are
interested in.

I have had a go at setting the ipchains "forward" chain policy to ACCEPT, whilst
leaving the "input" and "output" chains to DENY, this did not work so I believe
that the problem probably exists with the input or output chains settings.

When I look at the /var/log/messages file I get the following 'reject' message:

May 17 15:21:16 linuxa kernel: Packet log: forward REJECT tap0 PROTO=1 192.168
.1.40:8 192.168.3.10:0 L=84 S=0x00 I=11789 F=0x0000 T=63 (#6)
May 17 15:21:17 linuxa kernel: Packet log: forward REJECT tap0 PROTO=1 192.168
.1.40:8 192.168.3.10:0 L=84 S=0x00 I=11791 F=0x0000 T=63 (#6)

I get this when I try pinging machine B '192.168.3.10' from machine A '192.168.1.40'.

Okay, well, if you are able to help and need any more information, then please
ask for it. Note that I am happy that tinc is working, but only when I have an
'insecure' ACCEPT all policy firewall.  Thanks for any assistance.

Regards,
Gillian.

-
Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://ftp.nl.linux.org/pub/linux/tinc/

More information about the Tinc mailing list