Hi I have a simple hub and spoke topology where all my nodes connect to a central node. Below is tinc.conf for main node *tinc.conf* Name = main Interface = tun0 Forwarding = kernel and the remote nodes have same with ConnectTo = main. I have tried to apply a basic iptable policy on the main node but the traffic still seems to passthough and the nodes can communicate with each other. How do I apply policy between the two remote nodes on the main hub node? I would like in future to only allow a selected ports to be allowed between the nodes but for now I want iptables to manage policy between nodes. *Main node IPTABLES rule* iptables -A FORWARD -s <site1-ip> -d <site2-ip> -j DROP iptables -A FORWARD -s <site2-ip> -d <site1-ip> -j DROP default DENY Regards Yazeed <yazeedfataar at hotmail.com> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170213/4d5f7d1f/attachment.html>
Hi Yazeed, You have to add this to tinc.conf TunnelServer = yes Otherwise tinc will manage package routing internally. Then you can manage forwarding rules using IPTABLES as usual. Hope it helps. El lun., 13 feb. 2017 a las 8:11, Yazeed Fataar (<yazeedfataar at gmail.com>) escribió: Hi I have a simple hub and spoke topology where all my nodes connect to a central node. Below is tinc.conf for main node *tinc.conf* Name = main Interface = tun0 Forwarding = kernel and the remote nodes have same with ConnectTo = main. I have tried to apply a basic iptable policy on the main node but the traffic still seems to passthough and the nodes can communicate with each other. How do I apply policy between the two remote nodes on the main hub node? I would like in future to only allow a selected ports to be allowed between the nodes but for now I want iptables to manage policy between nodes. *Main node IPTABLES rule* iptables -A FORWARD -s <site1-ip> -d <site2-ip> -j DROP iptables -A FORWARD -s <site2-ip> -d <site1-ip> -j DROP default DENY Regards Yazeed <yazeedfataar at hotmail.com> _______________________________________________ tinc mailing list tinc at tinc-vpn.org https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc -- *Ing. Guillermo Bisheimer* *B&S Sistemas de Control y Equipamientos* Av. de los Constituyentes 1172 (E3116CIX) Crespo, Entre Ríos Tel/Fax: (0343) 407-8990 (Nuevo número) Cel: (0343) 154679052 WEB: www.bys-control.com.ar e-mail: gbisheimer at bys-control.com.ar skype: guillermo.bisheimer -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170213/cbb3e48c/attachment.html>
Thank you Guillermo. I will give it a go and revert back with my results. Regards Yazeed Fataar <yazeedfataar at hotmail.com> On Mon, Feb 13, 2017 at 2:26 PM, Guillermo Bisheimer < gbisheimer at bys-control.com.ar> wrote:> Hi Yazeed, > > You have to add this to tinc.conf > > TunnelServer = yes > > Otherwise tinc will manage package routing internally. Then you can manage > forwarding rules using IPTABLES as usual. > > Hope it helps. > > > > El lun., 13 feb. 2017 a las 8:11, Yazeed Fataar (<yazeedfataar at gmail.com>) > escribió: > > Hi > > I have a simple hub and spoke topology where all my nodes connect to a > central node. Below is tinc.conf for main node > > *tinc.conf* > Name = main > Interface = tun0 > Forwarding = kernel > > and the remote nodes have same with ConnectTo = main. > > I have tried to apply a basic iptable policy on the main node but the > traffic still seems to passthough and the nodes can communicate with each > other. How do I apply policy between the two remote nodes on the main hub > node? I would like in future to only allow a selected ports to be allowed > between the nodes but for now I want iptables to manage policy between > nodes. > > *Main node IPTABLES rule* > > > iptables -A FORWARD -s <site1-ip> -d <site2-ip> -j DROP > iptables -A FORWARD -s <site2-ip> -d <site1-ip> -j DROP > default DENY > > Regards > Yazeed > <yazeedfataar at hotmail.com> > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > > -- > > *Ing. Guillermo Bisheimer* > > *B&S Sistemas de Control y Equipamientos* > > Av. de los Constituyentes 1172 > > (E3116CIX) Crespo, Entre Ríos > > Tel/Fax: (0343) 407-8990 (Nuevo número) > > Cel: (0343) 154679052 > > WEB: www.bys-control.com.ar > > e-mail: gbisheimer at bys-control.com.ar > > skype: guillermo.bisheimer > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170213/ddb5ae42/attachment-0001.html>