firewalling / netfilter / iptables / tcpdump on the vpn

xavier list.tinc at natch.dyndns.org
Tue May 9 16:01:07 CEST 2006 

On Mon, May 08, 2006 at 04:42:31PM +0200, Guus Sliepen wrote:
> On Mon, May 08, 2006 at 09:11:34AM -0400, xavier wrote:
> 

> > it's a problem when you want to rescrict access from the vpn server, between 2 vpn hosts.
> > 
> > any solution ?
> 
> You can try to add the following two lines to route_ipv4_unicast() in
> src/route.c right above the line "via = ...":
> 
> 	send_packet(myself, packet);
> 	return;
> 
> You can also do the same in route_ipv6_unicast() if you also use IPv6 on
> the VPN.
> 
> If this works without problems for you, I can make an option that
> enables that behaviour.



i can see the traffic now. i have to punch holes now that the traffic is blocked :-)

(i saw  normal traffic, but duplicate icmp :

2006-05-09 09:38:44.085991 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.086366 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.086413 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.086500 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.086521 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.086601 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.086622 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.086730 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.086750 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.086829 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.086848 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.086928 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.086948 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.087028 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.087047 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.087127 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.087146 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.087226 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.087246 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.087327 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request
2006-05-09 09:38:44.087347 10.0.2.2 -> 10.0.2.7 ICMP Echo (ping) request


isn't that strange to return; without having     send_packet(subnet->owner, packet); ?

is the return necessary ?
anyway, i can see the traffic on vpn1 on the vpn server,
however it's not visible anymore on host b (the host i'm trying to reach).
(no firewalling implied)






thanks

bye

-- 
xavier

More information about the tinc mailing list