示例：偽裝防火墻后面的 tinc
當在偽裝防火墻后面（而不是在防火墻本身上）運行 tinc 時，必須小心配置防火墻，以便允許 tinc 流量通過而不改變源端口和目標端口。此示例中包含示例防火墻規則。它們是為 iptables（Linux 2.4 防火墻代碼）編寫的，但已注釋，以便您可以將相同類型的規則應用于其他防火墻。

示例：偽裝防火墻后面的 tinc
概述
運行 tinc 的主機的配置
tinc 的配置
防火墻配置
概述

網絡設置如下：

內部網絡是 10.20.30.0/24
防火墻IP外部為123.234.123.1，內部為10.20.30.1/24。
運行 tinc 的主機有 IP 10.20.30.42
主機想要連接的 VPN 的地址范圍為 192.168.0.0/16
主機有自己的 VPN IP 192.168.10.20
運行 tinc 的主機的配置
host# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:20:30:40:50:60
          inet addr:10.20.30.42  Bcast:10.20.30.255  Mask:255.255.255.0
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          ...

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3856  Metric:1
          ...

vpn       Link encap:Point-to-Point Protocol
          inet addr:192.168.10.20  P-t-P:192.168.10.20  Mask:255.255.0.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          ...

host# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.20.30.0      *               255.255.255.0   U     0      0        0 eth0
192.168.0.0     *               255.255.0.0     U     0      0        0 vpn
default         10.20.30.1      0.0.0.0         UG    0      0        0 eth0

host# iptables -L -v
Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
 pkts bytes target     prot opt in     out     source               destination

host# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
tinc 的配置
host# cat /etc/tinc/vpn/tinc.conf
Name = atwork
ConnectTo = home

host# cat /etc/tinc/vpn/tinc-up
#!/bin/sh

ifconfig $INTERFACE 192.168.10.20 netmask 255.255.0.0

host# ls /etc/tinc/vpn/hosts
atwork  home

host# cat /etc/tinc/vpn/hosts/atwork
Address = 123.234.123.1
Subnet = 192.168.10.20/32
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

host# cat /etc/tinc/vpn/hosts/home
Address = 200.201.202.203
Subnet = 192.168.1.0/24
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
防火墻配置
firewall# ifconfig
ppp0      Link encap:Point-to-Point Protocol
          inet addr:123.234.123.1  P-t-P:123.234.120.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          ...

eth0      Link encap:Ethernet  HWaddr 00:20:13:14:15:16
          inet addr:10.20.30.1  Bcast:10.20.30.255  Mask:255.255.255.0
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          ...

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3856  Metric:1
          ...

firewall# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.20.30.0      *               255.255.255.0   U     0      0        0 eth0
default         123.234.120.1   0.0.0.0         UG    0      0        0 ppp0

firewall# iptables -L -v
Chain INPUT (policy ACCEPT 1234 packets, 123K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 1234 packets, 123K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1234  123K ACCEPT     any  --  ppp0   eth0    anywhere             10.20.30.0/24
 1234  123K ACCEPT     any  --  eth0   ppp0    10.20.30.0/24        anywhere

Chain OUTPUT (policy ACCEPT 2161K packets, 364M bytes)
 pkts bytes target     prot opt in     out     source               destination

firewall# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1234  123K DNAT       tcp  --  ppp0   any     anywhere             anywhere           tcp dpt:655 to:10.20.30.42:655
 1234  123K DNAT       udp  --  ppp0   any     anywhere             anywhere           udp dpt:655 to:10.20.30.42:655

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1234  123K MASQUERADE all  --  eth0   ppp0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

firewall# cat /etc/init.d/firewall
#!/bin/sh

echo 1 >/proc/sys/net/ipv4/ip_forward

iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 10.20.30.0/24
iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -s 10.20.30.0/24

iptables -t nat -F POSTROUTING
# Next rule prevents masquerading from altering source port of outbound tinc packets
iptables -t nat -A POSTROUTING -p udp -m udp --sport 655 -j MASQUERADE -o ppp0 --to-ports 655
iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0

iptables -t nat -F PREROUTING
# Next two rules forward incoming tinc packets to the host behind the firewall running tinc
iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 655 --to 10.20.30.42:655
iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 655 --to 10.20.30.42:655