90 lines
2.9 KiB
HTML
90 lines
2.9 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>The Linux Cipe+Masquerading mini-HOWTO: Firewall Configuration</TITLE>
|
|
<LINK HREF="Cipe+Masq-3.html" REL=next>
|
|
<LINK HREF="Cipe+Masq-1.html" REL=previous>
|
|
<LINK HREF="Cipe+Masq.html#toc2" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Cipe+Masq-3.html">Next</A>
|
|
<A HREF="Cipe+Masq-1.html">Previous</A>
|
|
<A HREF="Cipe+Masq.html#toc2">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s2">2. Firewall Configuration</A></H2>
|
|
|
|
<P>This howto assumes you already configured your kernel to support IP
|
|
masquerade. See references below for information on configuring
|
|
your kernel for a linux firewall.
|
|
<P>
|
|
<H2><A NAME="ss2.1">2.1 VPN Network Diagram</A>
|
|
</H2>
|
|
|
|
<P>This setup uses a star/hub configuration. It will set up a cipe
|
|
connection from Machine A to Machine B and another from Machine A
|
|
to Machine C.
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<HR>
|
|
<PRE>
|
|
|
|
Machine A
|
|
eth0: 192.168.1.1
|
|
eth1: real ip 1
|
|
/ \
|
|
/ \
|
|
Machine B Machine C
|
|
eth0: 192.168.2.1 eth0:192.168.3.1
|
|
eth1: real ip 2 eth1: real ip 3
|
|
</PRE>
|
|
<HR>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<H2><A NAME="ss2.2">2.2 A little reference </A>
|
|
</H2>
|
|
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<HR>
|
|
<PRE>
|
|
|
|
eth0 is the local network (fake address)
|
|
eth1 is the internet address (real address)
|
|
|
|
Port A is any valid port you would like to choose
|
|
Port B is any other valid port you would like to choose
|
|
|
|
Key A is any valid key you would like to choose (read cipe doc for info)
|
|
Key B is any valid key you would like to choose
|
|
</PRE>
|
|
<HR>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<H2><A NAME="ss2.3">2.3 Additional notes about scripts and the VPN</A>
|
|
</H2>
|
|
|
|
<P>The ip-up scripts currently only allow class c traffic through the cipe
|
|
interface. If you wish for machine B to communicate with Machine C then
|
|
you will need to change the appropriate ip-up and ip-down scripts.
|
|
Specifically, you need to change the ptpaddr and myaddr netmasks. There
|
|
are two ip-up scripts, one for ipchains and one for ipfwadm. Same with the
|
|
ip-down scripts. Change the appropriate incoming, outgoing, and forwarding
|
|
cipe interface firewall rules netmask from /24 to /16. Any cipe firewall
|
|
rule changes you make in ip-up for ipfwadm, make sure the ip-down script reflects
|
|
the change so it will be properly removed from the list when the interface
|
|
goes down. For the ipchains file, anything added in a chain does not need
|
|
ip-down reflection since ip-down will flush all the rules in the user
|
|
defined
|
|
chain.
|
|
<P>You will also need to uncomment the network route in the rc.cipe for Machine
|
|
B and C that adds each others network to their route table.
|
|
<P>
|
|
<P>
|
|
<HR>
|
|
<A HREF="Cipe+Masq-3.html">Next</A>
|
|
<A HREF="Cipe+Masq-1.html">Previous</A>
|
|
<A HREF="Cipe+Masq.html#toc2">Contents</A>
|
|
</BODY>
|
|
</HTML>
|