Can anyone tell me what the absolute minimally permissive ipchains rule would be to allow tinc to operate correctly between two hosts. If we were to presume each tinc host had a default-deny policy, what ipchains command(s) would allow tinc to do its thing? I've scanned the docs on the tinc site and not found the answer- sorry if I'm blind or dumb. Thanks, Patrick - Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://ftp.nl.linux.org/pub/linux/tinc/
stnick wrote:> Can anyone tell me what the absolute minimally permissive ipchains rule > would be to allow tinc to operate correctly between two hosts. If we > were to presume each tinc host had a default-deny policy, what ipchains > command(s) would allow tinc to do its thing?If you are not doing any NAT, this should be enough: ipchains -A input -j ACCEPT -d <yourip> 665 -p udp ipchains -A output -j ACCEPT -d <theirip> 665 -p udp ipchains -A input -j ACCEPT -d <yourip> 665 -b -p tcp ipchains -A output -j ACCEPT -d <theirip> 665 -b -p tcp Repeat any rules with <theirip> for each host <yourip> needs to be able to have a connection with. Note that these rules are fairly permissive also, you could only allow incoming access to known hosts. Ivo -- Floating point exception - Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://ftp.nl.linux.org/pub/linux/tinc/
Ivo Timmermans wrote:> > stnick wrote: > > Can anyone tell me what the absolute minimally permissive ipchains rule > > would be to allow tinc to operate correctly between two hosts. If we > > were to presume each tinc host had a default-deny policy, what ipchains > > command(s) would allow tinc to do its thing? > > If you are not doing any NAT, this should be enough: > > ipchains -A input -j ACCEPT -d <yourip> 665 -p udp > ipchains -A output -j ACCEPT -d <theirip> 665 -p udp > ipchains -A input -j ACCEPT -d <yourip> 665 -b -p tcp > ipchains -A output -j ACCEPT -d <theirip> 665 -b -p tcp > > Repeat any rules with <theirip> for each host <yourip> needs to be > able to have a connection with. > > Note that these rules are fairly permissive also, you could only allow > incoming access to known hosts.What if the hosts *are* doing NAT? -Patrick - Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://ftp.nl.linux.org/pub/linux/tinc/
On Thu, Apr 05, 2001 at 04:02:13AM -0700, stnick wrote:> > Note that these rules are fairly permissive also, you could only allow > > incoming access to known hosts. > > What if the hosts *are* doing NAT?What kind of NAT? Masquerading? In that case I think you would have to setup portforwarding. ------------------------------------------- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.warande.net> ------------------------------------------- See also: http://tinc.nl.linux.org/ http://www.kernelbench.org/ ------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20010405/22224b8c/attachment.pgp