[[!meta title="tinc from behind a masquerading firewall"]] ## Example: tinc from behind a masquerading firewall When running tinc from behind a masquerading firewall (not on the firewall itself), one must be careful to configure the firewall so that it allows the tinc traffic to pass through without altering the source and destination ports. Example firewall rules are included in this example. They are written for iptables (Linux 2.4 firewall code), but commented so that you may apply the same kind of rules to other firewalls. [[!toc levels=2]] ### Overview [[!img examples/fig-firewall.png]] The network setup is as follows: * Internal network is 10.20.30.0/24 * Firewall IP is 123.234.123.1 on the outside, 10.20.30.1/24 on the inside. * Host running tinc has IP 10.20.30.42 * VPN the host wants to connect to has address range 192.168.0.0/16 * The host has it's own VPN IP 192.168.10.20 ### Configuration of the host running tinc > host# ifconfig > eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60 > inet addr:10.20.30.42 Bcast:10.20.30.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MTU:1500 Metric:1 > ... > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:3856 Metric:1 > ... > > vpn Link encap:Point-to-Point Protocol > inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > ... > > host# route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0 > 192.168.0.0 * 255.255.0.0 U 0 0 0 vpn > default 10.20.30.1 0.0.0.0 UG 0 0 0 eth0 > > host# iptables -L -v > Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) > pkts bytes target prot opt in out source destination > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) > pkts bytes target prot opt in out source destination > > host# iptables -L -v -t nat > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination ### Configuration of tinc > host# cat /etc/tinc/vpn/tinc.conf > Name = atwork > Device = /dev/tun > ConnectTo = home > > host# cat /etc/tinc/vpn/tinc-up > #!/bin/sh > > ifconfig vpn 192.168.10.20 netmask 255.255.0.0 > > host# ls /etc/tinc/vpn/hosts > atwork home > > host# cat /etc/tinc/vpn/hosts/atwork > Address = 123.234.123.1 > Subnet = 192.168.10.20/32 > -----BEGIN RSA PUBLIC KEY----- > ... > -----END RSA PUBLIC KEY----- > > host# cat /etc/tinc/vpn/hosts/home > Address = 200.201.202.203 > Subnet = 192.168.1.0/24 > -----BEGIN RSA PUBLIC KEY----- > ... > -----END RSA PUBLIC KEY----- ### Configuration of the firewall > firewall# ifconfig > ppp0 Link encap:Point-to-Point Protocol > inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 > ... > > eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16 > inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MTU:1500 Metric:1 > ... > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:3856 Metric:1 > ... > > firewall# route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 10.20.30.0 * 255.255.255.0 U 0 0 0 eth0 > default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0 > > firewall# iptables -L -v > Chain INPUT (policy ACCEPT 1234 packets, 123K bytes) > pkts bytes target prot opt in out source destination > > Chain FORWARD (policy DROP 1234 packets, 123K bytes) > pkts bytes target prot opt in out source destination > 1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24 > 1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere > > Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes) > pkts bytes target prot opt in out source destination > > firewall# iptables -L -v -t nat > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 1234 123K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:655 to:10.20.30.42:655 > 1234 123K DNAT udp -- ppp0 any anywhere anywhere udp dpt:655 to:10.20.30.42:655 > > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > firewall# cat /etc/init.d/firewall > #!/bin/sh > > echo 1 >/proc/sys/net/ipv4/ip_forward > > iptables -P FORWARD DROP > iptables -F FORWARD > iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24 > iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24 > > iptables -t nat -F POSTROUTING > # Next rule prevents masquerading from altering source port of outbound tinc packets > iptables -t nat -A POSTROUTING -p udp -m udp -sport 655 -j MASQUERADE -o ppp0 --to-ports 655 > iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0 > > iptables -t nat -F PREROUTING > # Next two rules forward incoming tinc packets to the host behind the firewall running tinc > iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to 10.20.30.42:655 > iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to 10.20.30.42:655