示例：偽裝防火墻上的 tinc
此示例顯示了在偽裝防火墻上運(yùn)行 tinc 的設(shè)置，允許防火墻后面的私有子網(wǎng)訪問 VPN。此示例中包含示例防火墻規(guī)則。它們是為 iptables（Linux 2.4 防火墻代碼）編寫的，但已注釋，以便您可以將相同類型的規(guī)則應(yīng)用于其他防火墻。

示例：偽裝防火墻上的 tinc
概述
運(yùn)行 tinc 的防火墻配置
tinc 的配置
概述
防火墻上的無花果

網(wǎng)絡(luò)設(shè)置如下：

內(nèi)部網(wǎng)絡(luò)是 10.20.30.0/24
防火墻IP外部為123.234.123.1，內(nèi)部為10.20.30.1/24。
主機(jī)想要連接的 VPN 的地址范圍是 10.20.0.0/16。
運(yùn)行 tinc 的防火墻配置
firewall# ifconfig
ppp0      Link encap:Point-to-Point Protocol
          inet addr:123.234.123.1  P-t-P:123.234.120.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          ...

eth0      Link encap:Ethernet  HWaddr 00:20:13:14:15:16
          inet addr:10.20.30.1  Bcast:10.20.30.255  Mask:255.255.255.0
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          ...

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3856  Metric:1
          ...

vpn       Link encap:Point-to-Point Protocol
          inet addr:10.20.30.1  P-t-P:10.20.30.1  Mask:255.255.0.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          ...

firewall# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.20.30.0      *               255.255.255.0   U     0      0        0 eth0
10.20.0.0       *               255.255.0.0     U     0      0        0 vpn
default         123.234.120.1   0.0.0.0         UG    0      0        0 ppp0

firewall# iptables -L -v
Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 1234 packets, 123K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1234  123K ACCEPT     any  --  ppp0   eth0    anywhere             10.20.30.0/24
 1234  123K ACCEPT     any  --  eth0   ppp0    10.20.30.0/24        anywhere
 1234  123K ACCEPT     any  --  vpn    eth0    10.20.0.0/16         10.20.30.0/24
 1234  123K ACCEPT     any  --  eth0   vpn     10.20.30.0/24        10.20.0.0/16

Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
 pkts bytes target     prot opt in     out     source               destination

firewall# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1234  123K MASQUERADE all  --  eth0   ppp0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

firewall# cat /etc/init.d/firewall
#!/bin/sh

echo 1 >/proc/sys/net/ipv4/ip_forward

iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i vpn -o eth0 -s 10.20.0.0/16 -d 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i eth0 -o vpn -s 10.20.30.0/24 -d 10.20.0.0/16

iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -j MASQUERADE -i eth0 -o ppp0
tinc 的配置
firewall# cat /etc/tinc/vpn/tinc.conf
Name = office
ConnectTo = branch
Interface = vpn

firewall# cat /etc/tinc/vpn/tinc-up
#!/bin/sh

ifconfig $INTERFACE 10.20.30.1 netmask 255.255.0.0

firewall# ls /etc/tinc/vpn/hosts
office  branch  employee_smith  employee_jones  ...

firewall# cat /etc/tinc/vpn/hosts/office
Address = 123.234.123.1
Subnet = 10.20.30.0/24
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

firewall# cat /etc/tinc/vpn/hosts/branch
Address = 123.234.213.129
Subnet = 10.20.40.0/24
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

firewall# cat /etc/tinc/vpn/hosts/employee_smith
Address = 200.201.202.203
Subnet = 10.20.50.1/32
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----