Hi to all. I've setup a Tinc VPN for a bunch of nodes divided in two groups: Group 1: IP Range 10.100.0.2 to 10.100.127.255 Group 2: IP Range 10.100.128.1 to 10.100.255.255 Server IP: 10.100.0.1 Every client connects only to the server. In the server I have the following tinc.conf: Name = server AddressFamily = ipv4 Interface = tun0 TunnelServer = yes Forwarding = kernel ListenAddress = * 655 And using iptables I managed to isolate the clients in group 1 from seeing each other using the following rule: sudo iptables -A FORWARD -s 10.100.0.0/17 -d 10.100.0.0/17 -j DROP Group 1 and 2 can see each other but cilents from group 1 cannot. The problem is that I also need to isolate clients from group 1 from reaching the server, but found no way to do that yet. Tried with sudo iptables -D INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP but this only works for blocking ping but it doesn't stop curl or anything else. Any help would be appreciated. Thanks! -- *Ing. Guillermo Bisheimer* *B&S Sistemas de Control y Equipamientos* Av. de los Constituyentes 1172 (E3116CIX) Crespo, Entre Ríos Tel/Fax: (0343) 407-8990 (Nuevo número) Cel: (0343) 154679052 WEB: www.bys-control.com.ar e-mail: gbisheimer at bys-control.com.ar skype: guillermo.bisheimer -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170113/f75b23ba/attachment-0001.html>
On Fri, Jan 13, 2017 at 06:53:07PM +0000, Guillermo Bisheimer wrote:> I've setup a Tinc VPN for a bunch of nodes divided in two groups: > > Group 1: > IP Range 10.100.0.2 to 10.100.127.255 > > Group 2: > IP Range 10.100.128.1 to 10.100.255.255 > > Server IP: 10.100.0.1I would recommend running two tinc daemons on the server, one for each group. That way, you don't have to use TunnelServer and Forwarding kernel.> The problem is that I also need to isolate clients from group 1 from > reaching the server, but found no way to do that yet.If you use two tinc daemons, and then for group 1, you can add "DeviceType = dummy" to the server's tinc.conf. That way the server doesn't create a tun/tap interface at all, so it cannot send or receive packets for that group.> Tried with > > sudo iptables -D INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP > > but this only works for blocking ping but it doesn't stop curl or anything > else.That command works better with -A instead of -D. It should then drop everything, not just ping packets, unless there is another rule earlier in the INPUT chain that explicitly allows that traffic. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170115/7013ac52/attachment.sig>
thanks, but i was able to make it work based on some suggestion on tomato shibby forums. Regards Ramesh On Sun, Jan 15, 2017 at 9:02 AM, Guus Sliepen <guus at tinc-vpn.org> wrote:> On Fri, Jan 13, 2017 at 06:53:07PM +0000, Guillermo Bisheimer wrote: > > > I've setup a Tinc VPN for a bunch of nodes divided in two groups: > > > > Group 1: > > IP Range 10.100.0.2 to 10.100.127.255 > > > > Group 2: > > IP Range 10.100.128.1 to 10.100.255.255 > > > > Server IP: 10.100.0.1 > > I would recommend running two tinc daemons on the server, one for each > group. That way, you don't have to use TunnelServer and Forwarding > kernel. > > > The problem is that I also need to isolate clients from group 1 from > > reaching the server, but found no way to do that yet. > > If you use two tinc daemons, and then for group 1, you can add > "DeviceType = dummy" to the server's tinc.conf. That way the server > doesn't create a tun/tap interface at all, so it cannot send or receive > packets for that group. > > > Tried with > > > > sudo iptables -D INPUT -s 10.100.0.0/17 -d 10.100.0.1/32 -j DROP > > > > but this only works for blocking ping but it doesn't stop curl or > anything > > else. > > That command works better with -A instead of -D. It should then drop > everything, not just ping packets, unless there is another rule earlier > in the INPUT chain that explicitly allows that traffic. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170115/6dee547e/attachment.html>