ipchains
Gillian
gillianh at paper-graphics.com
Thu May 24 10:26:29 CEST 2001
Dear Tinc Experts,
I have been struggling for some time now, with Tinc pre3, and firewall
rulesets and routing. I did once manage to get Tinc to work okay in a
test-bed environment. I then tried to set it up for a 'real-life'
setup and cannot get it to work properly.
My real-life setup looks like this:
Network A:
192.168.1.0 / 255.255.255.0
192.168.1.7 tap1 device gateway >
>
192.168.1.3 eth0 gateway >---- Firewall / NAT / Tinc box A
>
62.49.252.50 eth1 gateway >
Network B:
192.168.3.0 / 255.255.255.0
192.168.3.6 tap0 device gateway >
>
192.168.3.5 eth0 gateway >---- Firewall / NAT / Tinc box B
>
62.49.242.210 eth1 gateway >
Here is the firewall ruleset (not working properly, as far as i can tell),
that is on Box A (similar firewall script on Box B). Note that I can get
boxes on subnet A pinging boxes on subnet B if I get rid of the firewall
script and set all the ipchains policies to ACCEPT. Pinging works, but I
couldn't get other things to go across the Tinc VPN link. (ftp, etc.)
/etc/rc.d/rc.firewall -->
#!/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
extip="62.49.252.50"
extint="eth1"
intint="eth0"
intnet="192.168.1.0/24"
# MASQ Timeouts ( 2 hours tcp session, 10 sec tcpfin, 60 sec udp )
ipchains -M -S 7200 10 60
# -----------------------------------
# Incoming ipchains firewall rules:
# -----------------------------------
/sbin/ipchains -F input
/sbin/ipchains -P input REJECT
# local interface, local machines, going anywhere is valid
/sbin/ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT
# new tinc rules
/sbin/ipchains -A input -s $intnet -d 0.0.0.0/0 -i tap1 -j ACCEPT
/sbin/ipchains -A input -s 192.168.3.0/24 -d 0.0.0.0/0 -i tap1 -j ACCEPT
# remote interface, claiming to be local, via ip spoofing, get lost
/sbin/ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
# remote interface, any source, going to ext interface is valid
/sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
# loopback interface is valid
/sbin/ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch-all rule, all other incoming is denied and logged
/sbin/ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
# -----------------------------------
# Outgoing ipchains firewall rules:
# -----------------------------------
/sbin/ipchains -F output
/sbin/ipchains -P output REJECT
# local interface, any source going to local net, is valid
/sbin/ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT
# new tinc rules
/sbin/ipchains -A output -i tap1 -d $intnet -j ACCEPT
/sbin/ipchains -A output -i tap1 -d 192.168.3.0/24 -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
/sbin/ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT
# outgoing from local net on remote interface, stuffed masquerading, deny
/sbin/ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
# anything else on the remote interface is valid
/sbin/ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
# loopback interface is valid
/sbin/ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch-all rule, all other outgoing is denied and logged
/sbin/ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
# -------------------------------------
# Forwarding ipchains firewall rules:
# -------------------------------------
/sbin/ipchains -F forward
/sbin/ipchains -P forward DENY
# new tinc
/sbin/ipchains -A forward -i tap1 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT
/sbin/ipchains -A forward -i tap1 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT
# masquerade from local net on local interface to anywhere
/sbin/ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ
/sbin/ipchains -A forward -i $extint -s 194.128.68.0/24 -d 0.0.0.0/0 -j MASQ
# catch-all rule, all other forwarding is denied and logged
/sbin/ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
# End of firewall script
# -------------------------------------
/sbin/ipchains -L input -n -v -->
Chain input (policy REJECT: 210392 packets, 52777660 bytes):
pkts bytes target prot opt tosa tosx ifname source destination ports
56 7193 ACCEPT all ------ 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 n/a
0 0 ACCEPT all ------ 0xFF 0x00 tap1 192.168.1.0/24 0.0.0.0/0 n/a
0 0 ACCEPT all ------ 0xFF 0x00 tap1 192.168.3.0/24 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth1 192.168.1.0/24 0.0.0.0/0 n/a
2 266 ACCEPT all ------ 0xFF 0x00 eth1 0.0.0.0/0 62.49.252.50 n/a
2 154 ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
/sbin/ipchains -L output -n -v -->
Chain output (policy REJECT: 133548 packets, 43707305 bytes):
pkts bytes target prot opt tosa tosx ifname source destination ports
39 2370 ACCEPT all ------ 0xFF 0x00 eth0 0.0.0.0/0 192.168.1.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 tap1 0.0.0.0/0 192.168.1.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 tap1 0.0.0.0/0 192.168.3.0/24 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth1 0.0.0.0/0 192.168.1.0/24 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth1 192.168.1.0/24 0.0.0.0/0 n/a
2 142 ACCEPT all ------ 0xFF 0x00 eth1 62.49.252.50 0.0.0.0/0 n/a
2 154 ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
/sbin/ipchains -L forward -n -v -->
Chain forward (policy DENY: 1855 packets, 147806 bytes):
pkts bytes target prot opt tosa tosx ifname source destination ports
0 0 ACCEPT all ------ 0xFF 0x00 tap1 192.168.1.0/24 192.168.3.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 tap1 192.168.3.0/24 192.168.1.0/24 n/a
0 0 MASQ all ------ 0xFF 0x00 eth1 192.168.1.0/24 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
/sbin/ifconfig -->
eth0 Link encap:Ethernet HWaddr 00:06:29:05:58:07
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2487570 errors:25 dropped:0 overruns:0 frame:30
TX packets:881885 errors:1 dropped:0 overruns:0 carrier:1
collisions:15289 txqueuelen:100
Interrupt:11 Base address:0x3100
eth1 Link encap:Ethernet HWaddr 00:E0:29:14:61:A5
inet addr:62.49.252.50 Bcast:62.49.252.63 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:535939 errors:0 dropped:0 overruns:0 frame:0
TX packets:467370 errors:0 dropped:0 overruns:0 carrier:0
collisions:96 txqueuelen:100
Interrupt:15 Base address:0x4800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:46657 errors:0 dropped:0 overruns:0 frame:0
TX packets:46657 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
tap1 Link encap:Ethernet HWaddr FE:FD:00:00:00:00
inet addr:192.168.1.7 Bcast:192.168.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:851 errors:0 dropped:0 overruns:0 frame:0
TX packets:1256 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
Interrupt:5
/sbin/route -n -->
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.3 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
62.49.252.50 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
62.49.252.48 0.0.0.0 255.255.255.240 U 0 0 0 eth1
62.49.252.48 0.0.0.0 255.255.255.240 U 0 0 0 ipsec0
192.168.3.0 192.168.1.7 255.255.255.0 UG 0 0 0 tap1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
194.128.68.0 192.168.1.250 255.255.255.0 UG 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tap1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 62.49.252.49 0.0.0.0 UG 0 0 0 eth1
tail -20 /var/log/messages -->
May 24 08:43:35 mailgate tinc.netscot[29567]: Sending packet of 100 bytes to sco
t (62.49.242.210)
May 24 08:43:35 mailgate tinc.netscot[29567]: Writing packet of 98 bytes to tap
device
May 24 08:43:35 mailgate tinc.netscot[29567]: Sending packet of 128 bytes to sco
t (62.49.242.210)
May 24 08:43:35 mailgate kernel: Packet log: forward REJECT eth0 PROTO=1 192.168
.3.10:0 192.168.1.40:0 L=84 S=0x00 I=65049 F=0x0000 T=126 (#5)
May 24 08:43:36 mailgate tinc.netscot[29567]: Sending packet of 100 bytes to sco
t (62.49.242.210)
May 24 08:43:36 mailgate tinc.netscot[29567]: Writing packet of 98 bytes to tap
device
May 24 08:43:36 mailgate tinc.netscot[29567]: Sending packet of 128 bytes to sco
t (62.49.242.210)
May 24 08:43:36 mailgate kernel: Packet log: forward REJECT eth0 PROTO=1 192.168
.3.10:0 192.168.1.40:0 L=84 S=0x00 I=65305 F=0x0000 T=126 (#5)
TINC SETTINGS ON VBOX MACHINE (62.49.252.50 & 192.168.1.3)
/usr/local/etc/tinc/netscot/tinc.conf
Name = vbox
Interface = eth0
TapDevice = /dev/tap1
PrivateKey = 7E...
/usr/local/etc/tinc/netscot/tinc-up
#!/bin/bash
/sbin/ifconfig tap1 hw ether fe:fd:00:00:00:00
/sbin/ifconfig tap1 192.168.1.7 broadcast 192.168.255.255 netmask 255.255.0.0
/usr/local/etc/tinc/netscot/tinc-down
#!/bin/bash
/sbin/ifconfig tap1 down
/usr/local/etc/tinc/netscot/hosts/scot
Address = 62.49.242.210
Subnet = 192.168.3.0/24
Port = 2003
PublicKey = FF...
/usr/local/etc/tinc/netscot/hosts/vbox
Address = 62.49.252.50
Subnet = 192.168.1.0/24
Port = 2003
PublicKey = 9E...
TINC SETTINGS ON SCOT MACHINE (62.49.242.210 & 192.168.3.5)
/usr/local/etc/tinc/tinc.conf
Name = scot
TapDevice = /dev/tap0
Interface = eth0
ConnectTo = vbox
PrivateKey = E1...
/usr/local/etc/tinc/tinc-up
#!/bin/bash
/sbin/ifconfig tap0 hw ether fe:fd:00:00:00:00
/sbin/ifconfig tap0 192.168.3.6 broadcast 192.168.255.255 netmask 255.255.0.0
/usr/local/etc/tinc/tinc-down
#!/bin/bash
/sbin/ifconfig tap0 down
/usr/local/etc/tinc/hosts/scot
Address = 62.49.242.210
Subnet = 192.168.3.0/24
Port = 2003
PublicKey = FF...
/usr/local/etc/tinc/hosts/vbox
Address = 62.49.252.50
Subnet = 192.168.1.0/24
Port = 2003
PublicKey = 9E...
I know that there must be something wrong with my firewall script, and there might also be
a problem with the tinc configuration. Can someone please help me to determine where the
problems are, and fix my setup. I am getting very close to my deadline for setting up a vpn
at work, and if someone can spot my mistake/s they could 'save my life'.
Thanks,
Gillian Hodgkinson.
-
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://ftp.nl.linux.org/pub/linux/tinc/
More information about the Tinc
mailing list