Configuration advice on a single interface server
Guus Sliepen
guus at tinc-vpn.org
Wed Mar 18 19:28:12 CET 2015
On Wed, Mar 18, 2015 at 05:54:26PM +0800, Terry T wrote:
> I know how to bridge an internal adapter to a tap device. My problem is
> that this box only has one physical interface.
>
> Internet ----->[Cisco router]------------[network switch]--------{PCs,
> Linux VPN server}
>
> A typical server bridge setup is for the LAN side of the adapter to be
> bridged to the tap, and the external client connecting to its external
> adapter be serviced by the vpn program. In my situation, my one physical
> adapter is functioning both as an internal LAN adapter and also responsible
> for servicing requests from the remote client.
You can use iptables to block forwarding of traffic you don't want on
the VPN. For example:
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o vpn_interface -d 224.0.0.0/4 -j ACCEPT
iptables -A FORWARD -i vpn_interface -o eth0 -d 224.0.0.0/4 -j ACCEPT
This will only allow multicast traffic to be forwarded. Note that this
example only covers IPv4, you need to do something similar for IPv6.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150318/f6cdd6ab/attachment.sig>
More information about the tinc
mailing list