tinc 位于伪装的防火墙后面
示例:伪装防火墙后面的 tinc
当在伪装防火墙后面(而不是在防火墙本身上)运行 tinc 时,必须小心配置防火墙,以便允许 tinc 流量通过而不改变源端口和目标端口。此示例中包含示例防火墙规则。它们是为 iptables(Linux 2.4 防火墙代码)编写的,但已注释,以便您可以将相同类型的规则应用于其他防火墙。
示例:伪装防火墙后面的 tinc
概述
运行 tinc 的主机的配置
tinc 的配置
防火墙配置
概述
网络设置如下:
内部网络是 10.20.30.0/24
防火墙IP外部为123.234.123.1,内部为10.20.30.1/24。
运行 tinc 的主机有 IP 10.20.30.42
主机想要连接的 VPN 的地址范围为 192.168.0.0/16
主机有自己的 VPN IP 192.168.10.20
运行 tinc 的主机的配置
host# ifconfig
eth0 Link encap:Ethernet HWaddr 00:20:30:40:50:60
inet addr:10.20.30.42 Bcast:10.20.30.255 Mask:255.255.255.0
UP BROADCAST RUNNING MTU:1500 Metric:1
...
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3856 Metric:1
...
vpn Link encap:Point-to-Point Protocol
inet addr:192.168.10.20 P-t-P:192.168.10.20 Mask:255.255.0.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
...
host# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.0.0 U 0 0 0 vpn
default 10.20.30.1 0.0.0.0 UG 0 0 0 eth0
host# iptables -L -v
Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
pkts bytes target prot opt in out source destination
host# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
tinc 的配置
host# cat /etc/tinc/vpn/tinc.conf
Name = atwork
ConnectTo = home
host# cat /etc/tinc/vpn/tinc-up
#!/bin/sh
ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0
host# ls /etc/tinc/vpn/hosts
atwork home
host# cat /etc/tinc/vpn/hosts/atwork
Address = 123.234.123.1
Subnet = 192.168.10.20/32
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
host# cat /etc/tinc/vpn/hosts/home
Address = 200.201.202.203
Subnet = 192.168.1.0/24
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
防火墙配置
firewall# ifconfig
ppp0 Link encap:Point-to-Point Protocol
inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
...
eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0
UP BROADCAST RUNNING MTU:1500 Metric:1
...
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3856 Metric:1
...
firewall# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
firewall# iptables -L -v
Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 1234 packets, 123K bytes)
pkts bytes target prot opt in out source destination
1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24
1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
pkts bytes target prot opt in out source destination
firewall# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1234 123K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:655 to:10.20.30.42:655
1234 123K DNAT udp -- ppp0 any anywhere anywhere udp dpt:655 to:10.20.30.42:655
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
firewall# cat /etc/init.d/firewall
#!/bin/sh
echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
iptables -t nat -F POSTROUTING
# Next rule prevents masquerading from altering source port of outbound tinc packets
iptables -t nat -A POSTROUTING -p udp -m udp --sport 655 -j MASQUERADE -o ppp0 --to-ports 655
iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0
iptables -t nat -F PREROUTING
# Next two rules forward incoming tinc packets to the host behind the firewall running tinc
iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to 10.20.30.42:655
iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to 10.20.30.42:655
上一篇: 伪装防火墙上的 tinc
下一篇: 设置由 tinc 管理的 IPv6 网络