firewalling / netfilter / iptables / tcpdump on the vpn

xavier list.tinc at natch.dyndns.org
Mon May 8 16:23:10 CEST 2006 

On Mon, May 08, 2006 at 09:31:15AM -0400, Russell Handorf wrote:
> Use the FORWARD rule. 

yes, of course, sorry for not mentionning that.

like i said  tcpdump -i vpn1 -n didn't show anything going from host a to b
and iptables -I FORWARD -j LOG didn't show anything going from host a to b either.

firewall on the FORWARD rule between the vpn1 interface and any other interface is working
great, but i want to firewall packets on the vpn. 

> If you have the interfaces bridged, you'll need to 
> use the firewalling support for bridging option.


the vpn mode is "router";

on the vpn server i have only one physical interface, eth0.

i have no interfaces bridged. (maybe vpn1 is a bridged interface ?)

what interfaces bridged are we talking about ? 
what should i do to be able to see traffic between host a and b when i'm tcpdump on interface vpn1 on the 
vpn server ?

thanks

> 
> r
> 
> xavier wrote:
> >Hi !
> >
> >I tried tinc, i'm very happy with it  ;
> >however, i have difficulties firewalling on the vpn itself ;
> >here is my situation and what i'm experiencing:
> >
> >
> >
> >hosta ----|
> >         vpn server
> >hostb ----|
> >
> >
> >my interface is named vpn1
> >
> >i can firewall connexions starting from host a and b  to the vpn server 
> >(on the vpn server) (iptables -A INPUT -i vpn1 bla bla)
> >
> >i can firewall connexions starting from host a to host b (on host a and b)
> >
> >i can NOT firewall  connexions starting from host a to host on the vpn 
> >server.
> >
> >
> >actually, tcpdump report the same thing :
> >
> >i can't see the traffic between host a and b,
> >even if technically it's going through the vpn server (i can see the
> >encrypted traffic on eth0 of the vpn server)
> >
> >it's a problem when you want to rescrict access from the vpn server, 
> >between 2 vpn hosts.
> >
> >
> >
> >any solution ?
> >
> >i guess  i could create an interface for each   host (vpnhosta, 
> >vpnhostb...) but this would be a pain to manage.
> >
> >thanks
> >
> >  
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://brouwer.uvt.nl/cgi-bin/mailman/listinfo/tinc

-- 
xavier

More information about the tinc mailing list