417 lines
7.0 KiB
HTML
417 lines
7.0 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Networking</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="VPN HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Server"
|
|
HREF="c224.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Restricting Users"
|
|
HREF="x256.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Client"
|
|
HREF="client.html"></HEAD
|
|
><BODY
|
|
CLASS="sect1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>VPN HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x256.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 3. Server</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="client.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="AEN265">3.4. Networking</H1
|
|
><P
|
|
> Now that your users have access to the system, we need to make sure that
|
|
they have access to the network. We do that by using the Linux kernel's
|
|
firewalling rules and routing tables. Using the <B
|
|
CLASS="command"
|
|
>route</B
|
|
> and
|
|
<B
|
|
CLASS="command"
|
|
>ipfwadm</B
|
|
> commands, we can set up the kernel to handle network
|
|
traffic in the appropriate ways. For more info on <B
|
|
CLASS="command"
|
|
>ipfwadm</B
|
|
>,
|
|
<B
|
|
CLASS="command"
|
|
>ipchains</B
|
|
> and <B
|
|
CLASS="command"
|
|
>route</B
|
|
> see the
|
|
<A
|
|
HREF="http://www.tldp.org/HOWTO/Linux-Networking-HOWTO.html"
|
|
TARGET="_top"
|
|
>Linux Networking HOWTO</A
|
|
>.</P
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN274">3.4.1. The Kernel</H2
|
|
><P
|
|
> In order for any of this to work, you must have your kernel configured
|
|
correctly. If you don't know how to build your own kernel, then you
|
|
should read the <A
|
|
HREF="http://www.tldp.org/HOWTO/Kernel-HOWTO.html"
|
|
TARGET="_top"
|
|
> Kernel HOWTO</A
|
|
>. You'll need to make sure that the following kernel options
|
|
are turned on in addition to basic networking. I use a 2.0.38 kernel
|
|
in my system.
|
|
</P
|
|
><P
|
|
> For 2.0 kernels:
|
|
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> CONFIG_FIREWALL
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> CONFIG_IP_FORWARD
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> CONFIG_IP_FIREWALL
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> CONFIG_IP_ROUTER
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> CONFIG_IP_MASQUERADE (optional)
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> CONFIG_IP_MASQUERADE_ICMP (optional)
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> CONFIG_PPP
|
|
</P
|
|
></LI
|
|
></UL
|
|
>
|
|
</P
|
|
><P
|
|
> For 2.2 kernels:
|
|
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> CONFIG_FIREWALL
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> CONFIG_IP_ADVANCED_ROUTER
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> CONFIG_IP_FIREWALL
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> CONFIG_IP_ROUTER
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> CONFIG_IP_MASQUERADE (optional)
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> CONFIG_IP_MASQUERADE_ICMP (optional)
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> CONFIG_PPP
|
|
</P
|
|
></LI
|
|
></UL
|
|
>
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN310">3.4.2. Filter Rules</H2
|
|
><P
|
|
> First, we write firewall filter rules that allow our users to access our
|
|
internal nets, while restricting them from accessing the outside
|
|
internet. This sounds strange, but since the users
|
|
already have access to the internet, why let them use the tunnel to
|
|
access the net? It wastes both bandwidth and processor resources.
|
|
</P
|
|
><P
|
|
> The filter rules that we use depend upon which internal nets we use,
|
|
but translate to: "Allow traffic coming from our VPNs that is
|
|
destined for our internal nets to go there." So how do we do that?
|
|
As always, it depends. If you are running a 2.0 kernel, you use the
|
|
tool called <B
|
|
CLASS="command"
|
|
>ipfwadm</B
|
|
>, but if you are using a
|
|
2.2 kernel, you use the utility called <B
|
|
CLASS="command"
|
|
>ipchains</B
|
|
>.
|
|
</P
|
|
><P
|
|
> To set the rules with <B
|
|
CLASS="command"
|
|
>ipfwadm</B
|
|
>, run it with options similar to
|
|
the following:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> # /sbin/ipfwadm -F -f
|
|
# /sbin/ipfwadm -F -p deny
|
|
# /sbin/ipfwadm -F -a accept -S 192.168.13.0/24 -D 172.16.0.0/12
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> To set the rules with <B
|
|
CLASS="command"
|
|
>ipchains</B
|
|
>, run it with options similar to
|
|
the following:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> # /sbin/ipchains -F forward
|
|
# /sbin/ipchains -P forward DENY
|
|
# /sbin/ipchains -A forward -j ACCEPT -s 192.168.13.0/24 -d 172.16.0.0/12
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> For those using 2.2 kernels, please read <A
|
|
HREF="pitfalls.html#ipv4forwarding"
|
|
>Section 6.1.3</A
|
|
>.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN324">3.4.3. Routing</H2
|
|
><P
|
|
> Now that users are allowed to access our nets, we need to tell
|
|
the kernel where to send the packets. On my system, I have two ethernet
|
|
cards, one is on the external network, while the other is on the
|
|
internal network. This helps keep things secure, as outbound traffic is
|
|
masqueraded by the gateway, and any incoming traffic is filtered and
|
|
routed by the Cisco Router. For most setups, the routing should be simple.
|
|
</P
|
|
><P
|
|
> Next, route all traffic destined for the private networks out the
|
|
internal interface, and all other traffic out the external interface. The
|
|
specific routing commands depend on which internal nets you are using.
|
|
Below is an example of what they might look like. These lines are of course
|
|
in addition to your basic routes for your local nets. I also doubt that you
|
|
are using all 3 groups of internal numbers:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> Assuming that 172.16.254.254 is the internal gateway:
|
|
|
|
# /sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 172.16.254.254 dev eth1
|
|
# /sbin/route add -net 172.16.0.0 netmask 255.240.0.0 gw 172.16.254.254 dev eth1
|
|
# /sbin/route add -net 192.168.0.0 netmask 255.255.0.0 gw 172.16.254.254 dev eth1
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> One additional note on routing. If you are using two way routing for
|
|
say, a remote office, then you will need to do one more thing. You
|
|
need to set up routes on the server that point back to the client. The
|
|
easiest way to accomplish this is to run a cron job every minute that
|
|
quietly sets back routes. If the client is not
|
|
connected, <B
|
|
CLASS="command"
|
|
>route</B
|
|
> will just spit out an error (that you've
|
|
conveniently sent to <TT
|
|
CLASS="filename"
|
|
>/dev/null</TT
|
|
>.)
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x256.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="client.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Restricting Users</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="c224.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Client</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |