Reil
2005-Nov-28 17:30 UTC
Question concerning iptables and the example at tinc's homepage
Hi all, hi Guus, in july 2004 i received an e-mail from you concerning the way a packet takes across a (tinc)vpn:> They are forwarded from eth0 to tap0, but the kernel doesn't know that > tinc is forwarding them from tap0 to ippp0. So, the UDP and TCP > packets that tinc sends will be seen by the OUTPUT chain instead of > the FORWARD chain. At the other end, the received UDP and TCP packets > will be seen by the INPUT chain. When tinc sends the packets to tap0, > they will be forwarded to eth0 and then you should use the FORWARD > chain again.Now i'm confused because looking at http://www.tinc-vpn.org/examples/on-firewall the example for the iptables rules is looking like this: --- schnipp --- ... iptables -P FORWARD DROP iptables -F FORWARD iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24 iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24 iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 10.20.30.0/24 iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 10.20.0.0/16 ... --- schnapp --- I don't understand the first two ACCEPT rules. They allow every traffic from outside to inside and vice versa. Shouldn't there be any INPUT / OUTPUT rules ACCEPTing only TCP / UDP on port 655 instead of this two FORWARD rules? Any hint would be appreciated... Greetings, Alexander Reil -- Gemeinde Berg Herr Reil Telefon: 08151/508-41 Fax: 08151/508-88 E-Mail: reil@gemeinde-berg.de
Guus Sliepen
2005-Nov-29 16:25 UTC
Question concerning iptables and the example at tinc's homepage
On Mon, Nov 28, 2005 at 05:21:27PM +0100, Reil wrote:> in july 2004 i received an e-mail from you concerning the way a > packet takes across a (tinc)vpn: > > > They are forwarded from eth0 to tap0, but the kernel doesn't know that > > tinc is forwarding them from tap0 to ippp0. So, the UDP and TCP > > packets that tinc sends will be seen by the OUTPUT chain instead of > > the FORWARD chain. At the other end, the received UDP and TCP packets > > will be seen by the INPUT chain. When tinc sends the packets to tap0, > > they will be forwarded to eth0 and then you should use the FORWARD > > chain again. > > Now i'm confused because looking at > http://www.tinc-vpn.org/examples/on-firewall > the example for the iptables rules is looking like this: > > --- schnipp --- > ... > iptables -P FORWARD DROP > iptables -F FORWARD > iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24 > iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24 > iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d > 10.20.30.0/24 > iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d > 10.20.0.0/16 > ... > --- schnapp --- > > I don't understand the first two ACCEPT rules. They allow every > traffic from outside to inside and vice versa. Shouldn't there be any > INPUT / OUTPUT rules ACCEPTing only TCP / UDP on port 655 instead of > this two FORWARD rules?It has been a long time since I made that example, but IIRC, the first two ACCEPT rules are necessary if you are masquerading traffic from the local network to the Internet. If you are not masquerading, then you are right, those two FORWARD rules should not be there. And you will always need to allow TCP/UDP on port 655 to/from the Internet. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20051129/488be212/attachment.pgp