Question concerning iptables and the example at tinc's homepage
Guus Sliepen
guus at tinc-vpn.org
Tue Nov 29 16:25:07 CET 2005
On Mon, Nov 28, 2005 at 05:21:27PM +0100, Reil wrote:
> in july 2004 i received an e-mail from you concerning the way a
> packet takes across a (tinc)vpn:
>
> > They are forwarded from eth0 to tap0, but the kernel doesn't know that
> > tinc is forwarding them from tap0 to ippp0. So, the UDP and TCP
> > packets that tinc sends will be seen by the OUTPUT chain instead of
> > the FORWARD chain. At the other end, the received UDP and TCP packets
> > will be seen by the INPUT chain. When tinc sends the packets to tap0,
> > they will be forwarded to eth0 and then you should use the FORWARD
> > chain again.
>
> Now i'm confused because looking at
> http://www.tinc-vpn.org/examples/on-firewall
> the example for the iptables rules is looking like this:
>
> --- schnipp ---
> ...
> iptables -P FORWARD DROP
> iptables -F FORWARD
> iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
> iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
> iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d
> 10.20.30.0/24
> iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d
> 10.20.0.0/16
> ...
> --- schnapp ---
>
> I don't understand the first two ACCEPT rules. They allow every
> traffic from outside to inside and vice versa. Shouldn't there be any
> INPUT / OUTPUT rules ACCEPTing only TCP / UDP on port 655 instead of
> this two FORWARD rules?
It has been a long time since I made that example, but IIRC, the first
two ACCEPT rules are necessary if you are masquerading traffic from the
local network to the Internet. If you are not masquerading, then you are
right, those two FORWARD rules should not be there. And you will always
need to allow TCP/UDP on port 655 to/from the Internet.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20051129/488be212/attachment.pgp
More information about the tinc
mailing list