Firewall rules for TINC server

Guillermo Bisheimer gbisheimer at bys-control.com.ar
Mon Jan 16 13:29:59 CET 2017 

Thanks for the answer Guus,

One more thing. I can run two tinc daemons one for each group, but I sill
need to communicate clients from one group to the other.

Clients from group 2 (admin group) need to reach clients from group 1
(remote server group), but clients from group 1 must not be able to reach
each other nor the server.

If I'm not using TunnelServer and Forwarding, How can I setup the routes
between the two Tinc daemons?

Thanks!





El dom., 15 ene. 2017 a las 11:29, Ramesh (<nramesh1 at gmail.com>) escribió:

> thanks, but i was able to make it work based on some suggestion on tomato
> shibby forums.
>
> Regards
>
> Ramesh
>
> On Sun, Jan 15, 2017 at 9:02 AM, Guus Sliepen <guus at tinc-vpn.org> wrote:
>
> On Fri, Jan 13, 2017 at 06:53:07PM +0000, Guillermo Bisheimer wrote:
>
> > I've setup a Tinc VPN for a bunch of nodes divided in two groups:
> >
> > Group 1:
> > IP Range 10.100.0.2 to 10.100.127.255
> >
> > Group 2:
> > IP Range 10.100.128.1 to 10.100.255.255
> >
> > Server IP: 10.100.0.1
>
> I would recommend running two tinc daemons on the server, one for each
> group. That way, you don't have to use TunnelServer and Forwarding =
> kernel.
>
> > The problem is that I also need to isolate clients from group 1 from
> > reaching the server, but found no way to do that yet.
>
> If you use two tinc daemons, and then for group 1, you can add
> "DeviceType = dummy" to the server's tinc.conf. That way the server
> doesn't create a tun/tap interface at all, so it cannot send or receive
> packets for that group.
>
> > Tried with
> >
> > sudo iptables -D INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP
> >
> > but this only works for blocking ping but it doesn't stop curl or
> anything
> > else.
>
> That command works better with -A instead of -D. It should then drop
> everything, not just ping packets, unless there is another rule earlier
> in the INPUT chain that explicitly allows that traffic.
>
> --
> Met vriendelijke groet / with kind regards,
>      Guus Sliepen <guus at tinc-vpn.org>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-- 

*Ing. Guillermo Bisheimer*

*B&S Sistemas de Control y Equipamientos*

Av. de los Constituyentes 1172

(E3116CIX) Crespo, Entre Ríos

Tel/Fax: (0343) 407-8990 (Nuevo número)

Cel: (0343) 154679052

WEB: www.bys-control.com.ar

e-mail: gbisheimer at bys-control.com.ar

skype: guillermo.bisheimer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170116/de90e238/attachment.html>

More information about the tinc mailing list