伪装防火墙上的 tinc
示例:伪装防火墙上的 tinc
此示例显示了在伪装防火墙上运行 tinc 的设置,允许防火墙后面的私有子网访问 VPN。此示例中包含示例防火墙规则。它们是为 iptables(Linux 2.4 防火墙代码)编写的,但已注释,以便您可以将相同类型的规则应用于其他防火墙。
示例:伪装防火墙上的 tinc
概述
运行 tinc 的防火墙配置
tinc 的配置
概述
防火墙上的无花果
网络设置如下:
内部网络是 10.20.30.0/24
防火墙IP外部为123.234.123.1,内部为10.20.30.1/24。
主机想要连接的 VPN 的地址范围是 10.20.0.0/16。
运行 tinc 的防火墙配置
firewall# ifconfig
ppp0 Link encap:Point-to-Point Protocol
inet addr:123.234.123.1 P-t-P:123.234.120.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
...
eth0 Link encap:Ethernet HWaddr 00:20:13:14:15:16
inet addr:10.20.30.1 Bcast:10.20.30.255 Mask:255.255.255.0
UP BROADCAST RUNNING MTU:1500 Metric:1
...
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3856 Metric:1
...
vpn Link encap:Point-to-Point Protocol
inet addr:10.20.30.1 P-t-P:10.20.30.1 Mask:255.255.0.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
...
firewall# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.20.30.0 * 255.255.255.0 U 0 0 0 eth0
10.20.0.0 * 255.255.0.0 U 0 0 0 vpn
default 123.234.120.1 0.0.0.0 UG 0 0 0 ppp0
firewall# iptables -L -v
Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 1234 packets, 123K bytes)
pkts bytes target prot opt in out source destination
1234 123K ACCEPT any -- ppp0 eth0 anywhere 10.20.30.0/24
1234 123K ACCEPT any -- eth0 ppp0 10.20.30.0/24 anywhere
1234 123K ACCEPT any -- vpn eth0 10.20.0.0/16 10.20.30.0/24
1234 123K ACCEPT any -- eth0 vpn 10.20.30.0/24 10.20.0.0/16
Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
pkts bytes target prot opt in out source destination
firewall# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1234 123K MASQUERADE all -- eth0 ppp0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
firewall# cat /etc/init.d/firewall
#!/bin/sh
echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 10.20.0.0/16
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -j MASQUERADE -i eth0 -o ppp0
tinc 的配置
firewall# cat /etc/tinc/vpn/tinc.conf
Name = office
ConnectTo = branch
Interface = vpn
firewall# cat /etc/tinc/vpn/tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.20.30.1 netmask 255.255.0.0
firewall# ls /etc/tinc/vpn/hosts
office branch employee_smith employee_jones ...
firewall# cat /etc/tinc/vpn/hosts/office
Address = 123.234.123.1
Subnet = 10.20.30.0/24
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
firewall# cat /etc/tinc/vpn/hosts/branch
Address = 123.234.213.129
Subnet = 10.20.40.0/24
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
firewall# cat /etc/tinc/vpn/hosts/employee_smith
Address = 200.201.202.203
Subnet = 10.20.50.1/32
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
上一篇: 代理 ARP 作为桥接的替代方案
下一篇: tinc 位于伪装的防火墙后面