Hi !
I tried tinc, i'm very happy with it ;
however, i have difficulties firewalling on the vpn itself ;
here is my situation and what i'm experiencing:
hosta ----|
vpn server
hostb ----|
my interface is named vpn1
i can firewall connexions starting from host a and b to the vpn server (on the
vpn server)
(iptables -A INPUT -i vpn1 bla bla)
i can firewall connexions starting from host a to host b (on host a and b)
i can NOT firewall connexions starting from host a to host on the vpn server.
actually, tcpdump report the same thing :
i can't see the traffic between host a and b,
even if technically it's going through the vpn server (i can see the
encrypted traffic on eth0 of the vpn server)
it's a problem when you want to rescrict access from the vpn server, between
2 vpn hosts.
any solution ?
i guess i could create an interface for each host (vpnhosta, vpnhostb...) but
this would be a pain to manage.
thanks
--
xavier
Russell Handorf
2006-May-08 15:31 UTC
firewalling / netfilter / iptables / tcpdump on the vpn
Use the FORWARD rule. If you have the interfaces bridged, you'll need to use the firewalling support for bridging option. r xavier wrote:> Hi ! > > I tried tinc, i'm very happy with it ; > however, i have difficulties firewalling on the vpn itself ; > here is my situation and what i'm experiencing: > > > > hosta ----| > vpn server > hostb ----| > > > my interface is named vpn1 > > i can firewall connexions starting from host a and b to the vpn server (on the vpn server) > (iptables -A INPUT -i vpn1 bla bla) > > i can firewall connexions starting from host a to host b (on host a and b) > > i can NOT firewall connexions starting from host a to host on the vpn server. > > > actually, tcpdump report the same thing : > > i can't see the traffic between host a and b, > even if technically it's going through the vpn server (i can see the > encrypted traffic on eth0 of the vpn server) > > it's a problem when you want to rescrict access from the vpn server, between 2 vpn hosts. > > > > any solution ? > > i guess i could create an interface for each host (vpnhosta, vpnhostb...) but > this would be a pain to manage. > > thanks > >
Guus Sliepen
2006-May-08 16:42 UTC
firewalling / netfilter / iptables / tcpdump on the vpn
On Mon, May 08, 2006 at 09:11:34AM -0400, xavier wrote:> I tried tinc, i'm very happy with it ; > however, i have difficulties firewalling on the vpn itself ; > here is my situation and what i'm experiencing: > > hosta ----| > vpn server > hostb ----|[...]> i can't see the traffic between host a and b, > even if technically it's going through the vpn server (i can see the > encrypted traffic on eth0 of the vpn server) > > it's a problem when you want to rescrict access from the vpn server, between 2 vpn hosts. > > any solution ?You can try to add the following two lines to route_ipv4_unicast() in src/route.c right above the line "via = ...": send_packet(myself, packet); return; You can also do the same in route_ipv6_unicast() if you also use IPv6 on the VPN. If this works without problems for you, I can make an option that enables that behaviour. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20060508/ca4e270d/attachment.pgp