Firewall rules for TINC server
Ramesh
nramesh1 at gmail.com
Sun Jan 15 15:28:51 CET 2017
thanks, but i was able to make it work based on some suggestion on tomato
shibby forums.
Regards
Ramesh
On Sun, Jan 15, 2017 at 9:02 AM, Guus Sliepen <guus at tinc-vpn.org> wrote:
> On Fri, Jan 13, 2017 at 06:53:07PM +0000, Guillermo Bisheimer wrote:
>
> > I've setup a Tinc VPN for a bunch of nodes divided in two groups:
> >
> > Group 1:
> > IP Range 10.100.0.2 to 10.100.127.255
> >
> > Group 2:
> > IP Range 10.100.128.1 to 10.100.255.255
> >
> > Server IP: 10.100.0.1
>
> I would recommend running two tinc daemons on the server, one for each
> group. That way, you don't have to use TunnelServer and Forwarding =
> kernel.
>
> > The problem is that I also need to isolate clients from group 1 from
> > reaching the server, but found no way to do that yet.
>
> If you use two tinc daemons, and then for group 1, you can add
> "DeviceType = dummy" to the server's tinc.conf. That way the server
> doesn't create a tun/tap interface at all, so it cannot send or receive
> packets for that group.
>
> > Tried with
> >
> > sudo iptables -D INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP
> >
> > but this only works for blocking ping but it doesn't stop curl or
> anything
> > else.
>
> That command works better with -A instead of -D. It should then drop
> everything, not just ping packets, unless there is another rule earlier
> in the INPUT chain that explicitly allows that traffic.
>
> --
> Met vriendelijke groet / with kind regards,
> Guus Sliepen <guus at tinc-vpn.org>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170115/6dee547e/attachment.html>
More information about the tinc
mailing list