LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/VPN-HOWTO/x265.html

417 lines
7.0 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Networking</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="VPN HOWTO"
HREF="index.html"><LINK
REL="UP"
TITLE="Server"
HREF="c224.html"><LINK
REL="PREVIOUS"
TITLE="Restricting Users"
HREF="x256.html"><LINK
REL="NEXT"
TITLE="Client"
HREF="client.html"></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>VPN HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x256.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 3. Server</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="client.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN265">3.4. Networking</H1
><P
>&#13;Now that your users have access to the system, we need to make sure that
they have access to the network. We do that by using the Linux kernel's
firewalling rules and routing tables. Using the <B
CLASS="command"
>route</B
> and
<B
CLASS="command"
>ipfwadm</B
> commands, we can set up the kernel to handle network
traffic in the appropriate ways. For more info on <B
CLASS="command"
>ipfwadm</B
>,
<B
CLASS="command"
>ipchains</B
> and <B
CLASS="command"
>route</B
> see the
<A
HREF="http://www.tldp.org/HOWTO/Linux-Networking-HOWTO.html"
TARGET="_top"
>Linux Networking HOWTO</A
>.</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN274">3.4.1. The Kernel</H2
><P
>&#13;In order for any of this to work, you must have your kernel configured
correctly. If you don't know how to build your own kernel, then you
should read the <A
HREF="http://www.tldp.org/HOWTO/Kernel-HOWTO.html"
TARGET="_top"
>&#13;Kernel HOWTO</A
>. You'll need to make sure that the following kernel options
are turned on in addition to basic networking. I use a 2.0.38 kernel
in my system.
</P
><P
>&#13;For 2.0 kernels:
<P
></P
><UL
><LI
><P
>&#13;CONFIG_FIREWALL
</P
></LI
><LI
><P
>&#13;CONFIG_IP_FORWARD
</P
></LI
><LI
><P
>&#13;CONFIG_IP_FIREWALL
</P
></LI
><LI
><P
>&#13;CONFIG_IP_ROUTER
</P
></LI
><LI
><P
>&#13;CONFIG_IP_MASQUERADE (optional)
</P
></LI
><LI
><P
>&#13;CONFIG_IP_MASQUERADE_ICMP (optional)
</P
></LI
><LI
><P
>&#13;CONFIG_PPP
</P
></LI
></UL
>
</P
><P
>&#13;For 2.2 kernels:
<P
></P
><UL
><LI
><P
>&#13;CONFIG_FIREWALL
</P
></LI
><LI
><P
>&#13;CONFIG_IP_ADVANCED_ROUTER
</P
></LI
><LI
><P
>&#13;CONFIG_IP_FIREWALL
</P
></LI
><LI
><P
>&#13;CONFIG_IP_ROUTER
</P
></LI
><LI
><P
>&#13;CONFIG_IP_MASQUERADE (optional)
</P
></LI
><LI
><P
>&#13;CONFIG_IP_MASQUERADE_ICMP (optional)
</P
></LI
><LI
><P
>&#13;CONFIG_PPP
</P
></LI
></UL
>
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN310">3.4.2. Filter Rules</H2
><P
>&#13;First, we write firewall filter rules that allow our users to access our
internal nets, while restricting them from accessing the outside
internet. This sounds strange, but since the users
already have access to the internet, why let them use the tunnel to
access the net? It wastes both bandwidth and processor resources.
</P
><P
>&#13;The filter rules that we use depend upon which internal nets we use,
but translate to: "Allow traffic coming from our VPNs that is
destined for our internal nets to go there." So how do we do that?
As always, it depends. If you are running a 2.0 kernel, you use the
tool called <B
CLASS="command"
>ipfwadm</B
>, but if you are using a
2.2 kernel, you use the utility called <B
CLASS="command"
>ipchains</B
>.
</P
><P
>&#13;To set the rules with <B
CLASS="command"
>ipfwadm</B
>, run it with options similar to
the following:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;# /sbin/ipfwadm -F -f
# /sbin/ipfwadm -F -p deny
# /sbin/ipfwadm -F -a accept -S 192.168.13.0/24 -D 172.16.0.0/12
</PRE
></FONT
></TD
></TR
></TABLE
><P
>&#13;To set the rules with <B
CLASS="command"
>ipchains</B
>, run it with options similar to
the following:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;# /sbin/ipchains -F forward
# /sbin/ipchains -P forward DENY
# /sbin/ipchains -A forward -j ACCEPT -s 192.168.13.0/24 -d 172.16.0.0/12
</PRE
></FONT
></TD
></TR
></TABLE
><P
>&#13;For those using 2.2 kernels, please read <A
HREF="pitfalls.html#ipv4forwarding"
>Section 6.1.3</A
>.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN324">3.4.3. Routing</H2
><P
>&#13;Now that users are allowed to access our nets, we need to tell
the kernel where to send the packets. On my system, I have two ethernet
cards, one is on the external network, while the other is on the
internal network. This helps keep things secure, as outbound traffic is
masqueraded by the gateway, and any incoming traffic is filtered and
routed by the Cisco Router. For most setups, the routing should be simple.
</P
><P
>&#13;Next, route all traffic destined for the private networks out the
internal interface, and all other traffic out the external interface. The
specific routing commands depend on which internal nets you are using.
Below is an example of what they might look like. These lines are of course
in addition to your basic routes for your local nets. I also doubt that you
are using all 3 groups of internal numbers:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;Assuming that 172.16.254.254 is the internal gateway:
# /sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 172.16.254.254 dev eth1
# /sbin/route add -net 172.16.0.0 netmask 255.240.0.0 gw 172.16.254.254 dev eth1
# /sbin/route add -net 192.168.0.0 netmask 255.255.0.0 gw 172.16.254.254 dev eth1
</PRE
></FONT
></TD
></TR
></TABLE
><P
>&#13;One additional note on routing. If you are using two way routing for
say, a remote office, then you will need to do one more thing. You
need to set up routes on the server that point back to the client. The
easiest way to accomplish this is to run a cron job every minute that
quietly sets back routes. If the client is not
connected, <B
CLASS="command"
>route</B
> will just spit out an error (that you've
conveniently sent to <TT
CLASS="filename"
>/dev/null</TT
>.)
</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x256.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="client.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Restricting Users</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="c224.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Client</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink