X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=examples%2Fmasquerading-firewall.mdwn;h=e9e47dd81f185cc46cf38328de44a159a72707d0;hb=02682b2979ef9831c8935542302546d42fb84d2d;hp=75d6f75d2c973ebbf3e1cee4ce4658a4f542e7f4;hpb=bf3343ca2d0c70750e5e3e04cccc229457a49eb5;p=wiki diff --git a/examples/masquerading-firewall.mdwn b/examples/masquerading-firewall.mdwn index 75d6f75..e9e47dd 100644 --- a/examples/masquerading-firewall.mdwn +++ b/examples/masquerading-firewall.mdwn @@ -25,142 +25,142 @@ The network setup is as follows: ### Configuration of the host running tinc -> host# ifconfig -> eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60 -> inet addr: Bcast: Mask: -> UP BROADCAST RUNNING MTU:1500 Metric:1 -> ... -> -> lo Link encap:Local Loopback -> inet addr: Mask: -> UP LOOPBACK RUNNING MTU:3856 Metric:1 -> ... -> -> vpn Link encap:Point-to-Point Protocol -> inet addr: P-t-P: Mask: -> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 -> ... -> -> host# route -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> * U 0 0 0 eth0 -> * U 0 0 0 vpn -> default UG 0 0 0 eth0 -> -> host# iptables -L -v -> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) -> pkts bytes target prot opt in out source destination -> -> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) -> pkts bytes target prot opt in out source destination -> -> host# iptables -L -v -t nat -> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination + host# ifconfig + eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60 + inet addr: Bcast: Mask: + UP BROADCAST RUNNING MTU:1500 Metric:1 + ... + + lo Link encap:Local Loopback + inet addr: Mask: + UP LOOPBACK RUNNING MTU:3856 Metric:1 + ... + + vpn Link encap:Point-to-Point Protocol + inet addr: P-t-P: Mask: + UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 + ... + + host# route + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + * U 0 0 0 eth0 + * U 0 0 0 vpn + default UG 0 0 0 eth0 + + host# iptables -L -v + Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) + pkts bytes target prot opt in out source destination + + Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) + pkts bytes target prot opt in out source destination + + host# iptables -L -v -t nat + Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination ### Configuration of tinc -> host# cat /etc/tinc/vpn/tinc.conf -> Name = atwork -> ConnectTo = home -> -> host# cat /etc/tinc/vpn/tinc-up -> #!/bin/sh -> -> ifconfig $INTERFACE netmask -> -> host# ls /etc/tinc/vpn/hosts -> atwork home -> -> host# cat /etc/tinc/vpn/hosts/atwork -> Address = -> Subnet = -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- -> -> host# cat /etc/tinc/vpn/hosts/home -> Address = -> Subnet = -> -----BEGIN RSA PUBLIC KEY----- -> ... -> -----END RSA PUBLIC KEY----- + host# cat /etc/tinc/vpn/tinc.conf + Name = atwork + ConnectTo = home + + host# cat /etc/tinc/vpn/tinc-up + #!/bin/sh + + ifconfig $INTERFACE netmask + + host# ls /etc/tinc/vpn/hosts + atwork home + + host# cat /etc/tinc/vpn/hosts/atwork + Address = + Subnet = + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- + + host# cat /etc/tinc/vpn/hosts/home + Address = + Subnet = + -----BEGIN RSA PUBLIC KEY----- + ... + -----END RSA PUBLIC KEY----- ### Configuration of the firewall -> firewall# ifconfig -> ppp0 Link encap:Point-to-Point Protocol -> inet addr: P-t-P: Mask: -> UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 -> ... -> -> eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16 -> inet addr: Bcast: Mask: -> UP BROADCAST RUNNING MTU:1500 Metric:1 -> ... -> -> lo Link encap:Local Loopback -> inet addr: Mask: -> UP LOOPBACK RUNNING MTU:3856 Metric:1 -> ... -> -> firewall# route -> Kernel IP routing table -> Destination Gateway Genmask Flags Metric Ref Use Iface -> * U 0 0 0 eth0 -> default UG 0 0 0 ppp0 -> -> firewall# iptables -L -v -> Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) -> pkts bytes target prot opt in out source destination -> -> Chain FORWARD (policy DROP 1234 packets, 123K bytes) -> pkts bytes target prot opt in out source destination -> 1234 123K ACCEPT any -- ppp0 eth0 anywhere -> 1234 123K ACCEPT any -- eth0 ppp0 anywhere -> -> Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) -> pkts bytes target prot opt in out source destination -> -> firewall# iptables -L -v -t nat -> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> 1234 123K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:655 to: -> 1234 123K DNAT udp -- ppp0 any anywhere anywhere udp dpt:655 to: -> -> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere -> -> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) -> pkts bytes target prot opt in out source destination -> -> firewall# cat /etc/init.d/firewall -> #!/bin/sh -> -> echo 1 >/proc/sys/net/ipv4/ip_forward -> -> iptables -P FORWARD DROP -> iptables -F FORWARD -> iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d -> iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s -> -> iptables -t nat -F POSTROUTING -> # Next rule prevents masquerading from altering source port of outbound tinc packets -> iptables -t nat -A POSTROUTING -p udp -m udp -sport 655 -j MASQUERADE -o ppp0 --to-ports 655 -> iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0 -> -> iptables -t nat -F PREROUTING -> # Next two rules forward incoming tinc packets to the host behind the firewall running tinc -> iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to -> iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to + firewall# ifconfig + ppp0 Link encap:Point-to-Point Protocol + inet addr: P-t-P: Mask: + UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 + ... + + eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16 + inet addr: Bcast: Mask: + UP BROADCAST RUNNING MTU:1500 Metric:1 + ... + + lo Link encap:Local Loopback + inet addr: Mask: + UP LOOPBACK RUNNING MTU:3856 Metric:1 + ... + + firewall# route + Kernel IP routing table + Destination Gateway Genmask Flags Metric Ref Use Iface + * U 0 0 0 eth0 + default UG 0 0 0 ppp0 + + firewall# iptables -L -v + Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) + pkts bytes target prot opt in out source destination + + Chain FORWARD (policy DROP 1234 packets, 123K bytes) + pkts bytes target prot opt in out source destination + 1234 123K ACCEPT any -- ppp0 eth0 anywhere + 1234 123K ACCEPT any -- eth0 ppp0 anywhere + + Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) + pkts bytes target prot opt in out source destination + + firewall# iptables -L -v -t nat + Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + 1234 123K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:655 to: + 1234 123K DNAT udp -- ppp0 any anywhere anywhere udp dpt:655 to: + + Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere + + Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + + firewall# cat /etc/init.d/firewall + #!/bin/sh + + echo 1 >/proc/sys/net/ipv4/ip_forward + + iptables -P FORWARD DROP + iptables -F FORWARD + iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d + iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s + + iptables -t nat -F POSTROUTING + # Next rule prevents masquerading from altering source port of outbound tinc packets + iptables -t nat -A POSTROUTING -p udp -m udp --sport 655 -j MASQUERADE -o ppp0 --to-ports 655 + iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0 + + iptables -t nat -F PREROUTING + # Next two rules forward incoming tinc packets to the host behind the firewall running tinc + iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to + iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to