<HTML> <HEAD><TITLE>Cipe+Masq-mini-HOWTO</TITLE> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="GENERATOR" CONTENT="Mozilla/4.05 [en] (X11; I; Linux 2.0.35 i586) [Netscape]"> </HEAD> <BODY> <FONT SIZE=+2>The Linux Cipe+Masquerading mini-HOWTO</FONT> <BR><FONT SIZE=+2>Anthony Ciaravalo, acj@home.com</FONT> <BR><FONT SIZE=+2>v0.4, 28 October 1998</FONT> <H3> 1. Introduction</H3> This is the Linux Cipe+Masquerading mini-HOWTO. It explains how to setup a <BR>Virtual Private Network between your LAN and other LAN's using cipe through <BR>linux masquerading firewall machines. <H4> 1.1. Copyright statement</H4> (C)opyright 1998 Anthony Ciaravalo, acj@home.com <P>Unless otherwise stated, Linux HOWTO documents are copyrighted by their <BR>respective authors. Linux HOWTO documents may be reproduced and distributed <BR>in whole or in part, in any medium physical or electronic, as long as <BR>this copyright notice is retained on all copies. Commercial redistribution <BR>is allowed and encouraged; however, the author would like to be notified of <BR>any such distributions. <P>All translations, derivative works, or aggregate works <BR>incorporating any Linux HOWTO documents must be covered under this <BR>copyright notice. That is, you may not produce a derivative work <BR>from a HOWTO and impose additional restrictions on its <BR>distribution. Exceptions to these rules may be granted under <BR>certain conditions; please contact the Linux HOWTO coordinator at <BR>the address given below. <P>If you have questions, please contact Greg Hankins, the Linux HOWTO <BR>coordinator, at <P>gregh@sunsite.unc.edu Finger for phone number and snail mail address. <H4> 1.2 Disclaimer</H4> Use of the information and examples in this document is at your own risk. <BR>There are many security issues involved when connecting networks across <BR>the internet; and just being connected internet period. Even though information <BR>is encrypted, an improperly configured firewall may result in a security <BR>breach. Precautions can be taken to protect your cipe connections, but it <BR>does not guarantee 100% security. The author does not guarantee the <BR>information provided in this document will provide a secure networking <BR>environment. <H4> 1.3. Feedback</H4> Send questions, comments, suggestions, or corrections to acj@home.net. <H4> 1.4. New versions of this document.</H4> New versions will posted to the cipe mailing list and emailed to the Linux <BR>HOWTO coordinator to be archived in the Linux HOWTO collection. <H4> 1.5 Getting the files</H4> This document was written based on version 1.0.0 of cipe. The file can be retrieved <BR>from <A HREF="http://sites.inka.de/~bigred/sw/cipe-1.0.0.tar.gz">http://sites.inka.de/~bigred/sw/cipe-1.0.0.tar.gz</A>. <H3> 2. Configuring the Machines</H3> <H4> 2.1 Firewall Configuration</H4> This howto assumes you already configured your kernel to support IP <BR>masquerade and you already have a working firewall configuration. This <BR>howto does not explain how to setup a masquerading firewall. It only shows <BR>examples of the configuration rules that will allow a cipe connection to <BR>properly function when using a masquerading firewall. See references below <BR>for information on configuring a linux IP masquerade firewall. <H4> 2.2. The Star/Hub Configuration</H4> This setup uses a star/hub configuration, so if machine A is down <BR>then machine B and C will not be able to communicate. If that is a problem, <BR>then you might want to consider adding a cipe connection between B and C. <BR>This will start to get a little hairy when connecting a lot of networks <BR>together. This document only shows examples for the star/hub configuration. <P> Machine A <BR> eth0: 10.10.1.1 <BR> eth1: real ip 1 <BR> / \ <BR> / \ <BR> Machine B Machine C <BR> eth0: 10.10.2.1 eth0:10.10.3.1 <BR> eth1: real ip 2 eth1: real ip 3 <H4> 2.3. A little reference</H4> eth0 is the local network (fake address) <BR>eth1 is the internet address (real address) <P>Port A is any valid port you would like to choose <BR>Port B is any other valid port you would like to choose <P>Key A is any valid key you would like to choose (read cipe doc for info) <BR>Key B is any valid key you would like to choose <H4> 2.4. Machine A Configuration</H4> <H4> 2.4a. /etc/cipe/ip-up</H4> #a trimmed down version of the sample ip-up that comes with the distribution <BR>#!/bin/sh <BR>umask 022 <BR>PATH=/sbin:/bin:/usr/sbin:/usr/bin <BR>echo "UP $*" >> /tmp/cipe <BR>echo $3 > /var/run/$1.pid <BR>#i prefer to keep a separate file for setting up the routing...see below. <H4> 2.4b. /etc/cipe/options.machineB</H4> #device name <BR>device cip3b0 <BR># the peers internal (fake) ip address <BR>ptpaddr 10.10.2.1 <BR># my cipe (fake) ip address <BR>ipaddr 10.10.1.1 <BR># my real ip address and cipe port <BR>me (real ip 1):(port A) <BR># the peers ip address and cipe port <BR>peer (real ip 2):(port A) <BR>#my unique 128 bit key that noone else should ever know except my peer <BR>key (Key A) <H4> 2.4c. /etc/cipe/options.machineC</H4> #device name <BR>device cip3b1 <BR># the peers internal (fake) ip address <BR>ptpaddr 10.10.3.1 <BR># my cipe (fake) ip address <BR>ipaddr 10.10.1.1 <BR># my real ip address and cipe port <BR>me (real ip 1):(port B) <BR># the peers ip address and cipe port <BR>peer (real ip 3):(port B) <BR>#my unique 128 bit key that noone else should ever know except my peer <BR>key (Key B) <H4> 2.4d. /etc/cipe/setroute</H4> #!/bin/sh <BR>#separate file for setting routing table <BR>#set up route table to Machine B <BR>/sbin/route add -host 10.10.2.1 dev cip3b0 <BR>/sbin/route add -net 10.10.2.0 netmask 255.255.255.0 gw 10.10.2.1 <BR>#set up route table to Machine C <BR>/sbin/route add -host 10.10.3.1 dev cip3b1 <BR>/sbin/route add -net 10.10.3.0 netmask 255.255.255.0 gw 10.10.3.1 <H4> 2.4e. /etc/rc.d/rc.local</H4> echo Configuring VPN network <BR>/usr/local/sbin/ciped -o /etc/cipe/options.machineB <BR>/usr/local/sbin/ciped -o /etc/cipe/options.machineC <BR>/etc/cipe/setroute <H4> 2.4f. Firewall Rules</H4> #flush all incoming firewall rules and set default policy to deny <BR>/sbin/ipfwadm -I -f <BR>/sbin/ipfwadm -I -p deny <BR>#allow incoming packets to your network via the cipe links <BR>/sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>/sbin/ipfwadm -I -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>#add rest of your incoming rules here <P>#flush all outgoing firewall rules and set default policy to deny <BR>/sbin/ipfwadm -O -f <BR>/sbin/ipfwadm -O -p deny <BR>#allow outgoing packets to the other networks via the cipe links <BR>/sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>/sbin/ipfwadm -O -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>#add rest of your outgoing rules here <P>#flush all forwarding firewall rules and set default policy to deny <BR>/sbin/ipfwadm -F -f <BR>/sbin/ipfwadm -F -p deny <BR>#allow packets to be forwarded to the other networks via the cipe links <BR>/sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>/sbin/ipfwadm -F -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>#allow forwarding from real ip of this machine to the real ip address of the other machines <BR>/sbin/ipfwadm -F -a accept -W eth1 -S (real ip 1) -D (real ip 2) <BR>/sbin/ipfwadm -F -a accept -W eth1 -S (real ip 1) -D (real ip 3) <BR>#allow forwarding to the other networks via the local interface (fake ip address) <BR>/sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>#add rest of your forwarding rules here <H4> 2.4g. Gateway</H4> All machines on network 10.10.1.0 must have 10.10.1.1 as gateway. If you <BR>don't it will not work. <H4> 2.5. Machine B Configuration</H4> <H4> 2.5a. /etc/cipe/ip-up</H4> #a trimmed down version of the sample ip-up that comes with the distribution <BR>#!/bin/sh <BR>umask 022 <BR>PATH=/sbin:/bin:/usr/sbin:/usr/bin <BR>echo "UP $*" >> /tmp/cipe <BR>echo $3 > /var/run/$1.pid <BR>#i prefer to keep a separate file for setting up the routing...see below. <H4> 2.5b. /etc/cipe/options.machineA</H4> #device name <BR>device cip3b0 <BR># the peers internal (fake) ip address <BR>ptpaddr 10.10.1.1 <BR># my cipe (fake) ip address <BR>ipaddr 10.10.2.1 <BR># my real ip address and cipe port <BR>me (real ip 1):(port A) <BR># the peers ip address and cipe port <BR>peer (real ip 2):(port A) <BR>#my unique 128 bit key that noone else should ever know except my peer <BR>key (Key A) <H4> 2.5c. /etc/cipe/setroute</H4> #!/bin/sh <BR>#separate file for setting routing table <BR>#set up route table to Machine A <BR>/sbin/route add -host 10.10.1.1 dev cip3b0 <BR>/sbin/route add -net 10.10.1.0 netmask 255.255.255.0 gw 10.10.1.1 <H4> 2.5d. /etc/rc.d/rc.local</H4> echo Configuring VPN network <BR>/usr/local/sbin/ciped -o /etc/cipe/options.machineA <BR>/etc/cipe/setroute <H4> 2.5e. Firewall Rules</H4> #flush all incoming firewall rules and set default policy to deny <BR>/sbin/ipfwadm -I -f <BR>/sbin/ipfwadm -I -p deny <BR>#allow incoming packets to your network via the cipe link <BR>/sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>#add rest of your incoming rules here <P>#flush all outgoing firewall rules and set default policy to deny <BR>/sbin/ipfwadm -O -f <BR>/sbin/ipfwadm -O -p deny <BR>#allow outgoing packets to your network via the cipe link <BR>/sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>#add rest of your outgoing rules here <P>#flush all forwarding firewall rules and set default policy to deny <BR>/sbin/ipfwadm -F -f <BR>/sbin/ipfwadm -F -p deny <BR>#allow packets to be forwarded to the other networks via the cipe links <BR>/sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>#allow forwarding from real ip of this machine to the real ip address of the other machines <BR>/sbin/ipfwadm -F -a accept -W eth1 -S (real ip 2) -D (real ip 1) <BR>#allow packets to be forwarded to the other networks via the local interface (fake ip address) <BR>/sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>#add rest of your forwarding rules here <H4> 2.5f. Gateway</H4> All machines on network 10.10.2.0 must have 10.10.2.1 as gateway. If you <BR>don't it will not work. <H4> 2.6. Machine C Configuration</H4> <H4> 2.6a. /etc/cipe/ip-up</H4> #a trimmed down version of the sample ip-up that comes with the distribution <BR>#!/bin/sh <BR>umask 022 <BR>PATH=/sbin:/bin:/usr/sbin:/usr/bin <BR>echo "UP $*" >> /tmp/cipe <BR>echo $3 > /var/run/$1.pid <BR>#i prefer to keep a separate file for setting up the routing...see below. <H4> 2.6b. /etc/cipe/options.machineA</H4> #device name <BR>device cip3b0 <BR># the peers internal (fake) ip address <BR>ptpaddr 10.10.1.1 <BR># my cipe (fake) ip address <BR>ipaddr 10.10.3.1 <BR># my real ip address and cipe port <BR>me (real ip 3):(port B) <BR># the peers ip address and cipe port <BR>peer (real ip 1):(port B) <BR>#my unique 128 bit key that noone else should ever know except my peer <BR>key (Key B) <H4> 2.6c. /etc/cipe/setroute</H4> #!/bin/sh <BR>#separate file for setting routing table <BR>#set up route table to Machine A <BR>/sbin/route add -host 10.10.1.1 dev cip3b0 <BR>/sbin/route add -net 10.10.1.0 netmask 255.255.255.0 gw 10.10.1.1 <H4> 2.6d. /etc/rc.d/rc.local</H4> echo Configuring VPN network <BR>/usr/local/sbin/ciped -o /etc/cipe/options.machineA <BR>/etc/cipe/setroute <H4> 2.6e. Firewall Rules</H4> #flush all incoming firewall rules and set default policy to deny <BR>/sbin/ipfwadm -I -f <BR>/sbin/ipfwadm -I -p deny <BR>#allow incoming packets to your network via the cipe link <BR>/sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>#add rest of your incoming rules here <P>#flush all outgoing firewall rules and set default policy to deny <BR>/sbin/ipfwadm -O -f <BR>/sbin/ipfwadm -O -p deny <BR>#allow outgoing packets to your network via the cipe link <BR>/sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>#add rest of your outgoing rules here <P>#flush all forwarding firewall rules and set default policy to deny <BR>/sbin/ipfwadm -F -f <BR>/sbin/ipfwadm -F -p deny <BR>#allow packets to be forwarded to the other networks via the cipe links <BR>#this machine to the real ip address of the other machines <BR>/sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>#allow forwarding from real ip of this machine to the real ip address of the other machine <BR>/sbin/ipfwadm -F -a accept -W eth1 -S (real ip 3) -D (real ip 1) <BR>#allow packets to be forwarded to the other networks via the local interface (fake ip address) <BR>/sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16 <BR>#add rest of your forwarding rules here <H4> 2.6f. Gateway</H4> All machines on network 10.10.2.0 must have 10.10.2.1 as gateway. If you <BR>don't it will not work. <H3> 3. Starting it up</H3> Manually run the commands added to rc.local on each machine. <H3> 4. Connecting to the WAN.</H3> At this point your WAN should be connected. Try pinging machines on the <BR>other networks. Now the next step is to get your networks to see each other <BR>and access each other using SAMBA browsing. A few hints: lmhosts or wins <BR>server is required, trusted domains for NT. I have set these up, but that <BR>is not the purpose of this document (at least not for now). <H2> 5. References</H2> <H4> 5.1. Web Sites</H4> Cipe Home Page <A HREF="http://sites.inka.de/~bigred/devel/cipe.html ">http://sites.inka.de/~bigred/devel/cipe.html</A> <BR> Masq Home Page <A HREF="http://ipmasq.home.ml.org">http://ipmasq.home.ml.org</A> <BR>Samba Home Page <A HREF="http://samba.anu.edu.au ">http://samba.anu.edu.au</A> <BR> Linux HQ <A HREF="http://www.linuxhq.com">http://www.linuxhq.com</A> ---great site for lots of linux info <H4> 5.2. Documentation</H4> cipe.info: info file included with cipe distribution <BR>Firewall HOWTO, by Mark Grennan <markg@netplus.net> <BR>IP Masquerade mini-HOWTO, by Ambrose Au <ambrose@writeme.com> <BR> <BR> <BR> </BODY> </HTML>