Firewall rules for TINC server
Guillermo Bisheimer
gbisheimer at bys-control.com.ar
Mon Jan 16 13:33:30 CET 2017
There was a mistake in the firewall rule I've posted earlier:
sudo iptables -D INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP
As you stated, I was using -A instead of -D, but that only stops ping
packets, but not anything else.
El lun., 16 ene. 2017 a las 9:29, Guillermo Bisheimer (<
gbisheimer at bys-control.com.ar>) escribió:
> Thanks for the answer Guus,
>
> One more thing. I can run two tinc daemons one for each group, but I sill
> need to communicate clients from one group to the other.
>
> Clients from group 2 (admin group) need to reach clients from group 1
> (remote server group), but clients from group 1 must not be able to reach
> each other nor the server.
>
> If I'm not using TunnelServer and Forwarding, How can I setup the routes
> between the two Tinc daemons?
>
> Thanks!
>
>
>
>
>
> El dom., 15 ene. 2017 a las 11:29, Ramesh (<nramesh1 at gmail.com>) escribió:
>
> thanks, but i was able to make it work based on some suggestion on tomato
> shibby forums.
>
> Regards
>
> Ramesh
>
> On Sun, Jan 15, 2017 at 9:02 AM, Guus Sliepen <guus at tinc-vpn.org> wrote:
>
> On Fri, Jan 13, 2017 at 06:53:07PM +0000, Guillermo Bisheimer wrote:
>
> > I've setup a Tinc VPN for a bunch of nodes divided in two groups:
> >
> > Group 1:
> > IP Range 10.100.0.2 to 10.100.127.255
> >
> > Group 2:
> > IP Range 10.100.128.1 to 10.100.255.255
> >
> > Server IP: 10.100.0.1
>
> I would recommend running two tinc daemons on the server, one for each
> group. That way, you don't have to use TunnelServer and Forwarding =
> kernel.
>
> > The problem is that I also need to isolate clients from group 1 from
> > reaching the server, but found no way to do that yet.
>
> If you use two tinc daemons, and then for group 1, you can add
> "DeviceType = dummy" to the server's tinc.conf. That way the server
> doesn't create a tun/tap interface at all, so it cannot send or receive
> packets for that group.
>
> > Tried with
> >
> > sudo iptables -D INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP
> >
> > but this only works for blocking ping but it doesn't stop curl or
> anything
> > else.
>
> That command works better with -A instead of -D. It should then drop
> everything, not just ping packets, unless there is another rule earlier
> in the INPUT chain that explicitly allows that traffic.
>
> --
> Met vriendelijke groet / with kind regards,
> Guus Sliepen <guus at tinc-vpn.org>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
> --
>
> *Ing. Guillermo Bisheimer*
>
> *B&S Sistemas de Control y Equipamientos*
>
> Av. de los Constituyentes 1172
>
> (E3116CIX) Crespo, Entre Ríos
>
> Tel/Fax: (0343) 407-8990 (Nuevo número)
>
> Cel: (0343) 154679052
>
> WEB: www.bys-control.com.ar
>
> e-mail: gbisheimer at bys-control.com.ar
>
> skype: guillermo.bisheimer
>
--
*Ing. Guillermo Bisheimer*
*B&S Sistemas de Control y Equipamientos*
Av. de los Constituyentes 1172
(E3116CIX) Crespo, Entre Ríos
Tel/Fax: (0343) 407-8990 (Nuevo número)
Cel: (0343) 154679052
WEB: www.bys-control.com.ar
e-mail: gbisheimer at bys-control.com.ar
skype: guillermo.bisheimer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170116/27ee7fcb/attachment-0001.html>
More information about the tinc
mailing list