OK, looks like iptables it is then. I found that the tinc-up script is a convenient place to put this, and with newer iptables's `--check` feature, we can ensure that the rule isn't added more than once when tinc is restarted.
So I'm currently using in there something like: iptables --check INPUT -i tun0benacovpn -m state --state RELATED,ESTABLISHED -j ACCEPT || iptables --append INPUT -i tun0benacovpn -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables --check INPUT -i tun0benacovpn -m state --state RELATED,ESTABLISHED -j ACCEPT || ip6tables --append INPUT -i tun0benacovpn -m state --state RELATED,ESTABLISHED -j ACCEPT iptables --check INPUT -i tun0benacovpn -j REJECT --reject-with icmp-port-unreachable || iptables --append INPUT -i tun0benacovpn -j REJECT --reject-with icmp-port-unreachable ip6tables --check INPUT -i tun0benacovpn -j REJECT --reject-with icmp6-port-unreachable || ip6tables --append INPUT -i tun0benacovpn -j REJECT --reject-with icmp6-port-unreachable Thanks for your hints! On 27/01/17 17:33, Guus Sliepen wrote: > Otherwise, the best option is to add firewall rules that disallow any > new incoming connections from the VPN interface, but still allow > outgoing connections. Example commands to do this: > > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A INPUT -i <VPN interface> -j DROP > > Don't forget about IPv6, where you have to add similar rules. _______________________________________________ tinc mailing list [email protected] https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
