Firewall rules for TINC server
Guus Sliepen
guus at tinc-vpn.org
Mon Jan 16 15:02:06 CET 2017
On Mon, Jan 16, 2017 at 12:29:59PM +0000, Guillermo Bisheimer wrote:
> One more thing. I can run two tinc daemons one for each group, but I sill
> need to communicate clients from one group to the other.
>
> Clients from group 2 (admin group) need to reach clients from group 1
> (remote server group), but clients from group 1 must not be able to reach
> each other nor the server.
>
> If I'm not using TunnelServer and Forwarding, How can I setup the routes
> between the two Tinc daemons?
For group 1, set TunnelServer = yes and Forwarding = off. This prevents
clients from seeing and talking to each other. Also don't use
DeviceType. Now that you have two VPN interfaces on the server, one for
group 1 and one for group 2, you can use the routing table and/or
firewall rules to control who can reach who.
You still need to block traffic from the clients to the server itself.
Instead of:
> sudo iptables -A INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP
Try:
sudo iptables -A INPUT -i <group 1 interface> -j DROP
This should drop all packets from the clients. Note that the INPUT chain
only applies to packets destined for the server itself, packets that are
to be forwarded between group 1 and 2 go via the FORWARD chain.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170116/3af2e92d/attachment.sig>
More information about the tinc
mailing list