Firewall rules for TINC server
Guillermo Bisheimer
gbisheimer at bys-control.com.ar
Mon Jan 16 15:25:19 CET 2017
Thanks again Guus.
Will try your recommendations.
El lun., 16 ene. 2017 a las 11:02, Guus Sliepen (<guus at tinc-vpn.org>)
escribió:
> On Mon, Jan 16, 2017 at 12:29:59PM +0000, Guillermo Bisheimer wrote:
>
> > One more thing. I can run two tinc daemons one for each group, but I sill
> > need to communicate clients from one group to the other.
> >
> > Clients from group 2 (admin group) need to reach clients from group 1
> > (remote server group), but clients from group 1 must not be able to reach
> > each other nor the server.
> >
> > If I'm not using TunnelServer and Forwarding, How can I setup the routes
> > between the two Tinc daemons?
>
> For group 1, set TunnelServer = yes and Forwarding = off. This prevents
> clients from seeing and talking to each other. Also don't use
> DeviceType. Now that you have two VPN interfaces on the server, one for
> group 1 and one for group 2, you can use the routing table and/or
> firewall rules to control who can reach who.
>
> You still need to block traffic from the clients to the server itself.
> Instead of:
>
> > sudo iptables -A INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP
>
> Try:
>
> sudo iptables -A INPUT -i <group 1 interface> -j DROP
>
> This should drop all packets from the clients. Note that the INPUT chain
> only applies to packets destined for the server itself, packets that are
> to be forwarded between group 1 and 2 go via the FORWARD chain.
>
> --
> Met vriendelijke groet / with kind regards,
> Guus Sliepen <guus at tinc-vpn.org>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
--
*Ing. Guillermo Bisheimer*
*B&S Sistemas de Control y Equipamientos*
Av. de los Constituyentes 1172
(E3116CIX) Crespo, Entre Ríos
Tel/Fax: (0343) 407-8990 (Nuevo número)
Cel: (0343) 154679052
WEB: www.bys-control.com.ar
e-mail: gbisheimer at bys-control.com.ar
skype: guillermo.bisheimer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170116/aa95e099/attachment-0001.html>
More information about the tinc
mailing list