Sophie: howto-html-en-20080722-2mdv2010.1 noarch

howto-html-en-20080722-2mdv2010.1.noarch.rpm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>The Linux Cipe+Masquerading mini-HOWTO: Firewall Configuration</TITLE>
 <LINK HREF="Cipe+Masq-3.html" REL=next>
 <LINK HREF="Cipe+Masq-1.html" REL=previous>
 <LINK HREF="Cipe+Masq.html#toc2" REL=contents>
</HEAD>
<BODY>
<A HREF="Cipe+Masq-3.html">Next</A>
<A HREF="Cipe+Masq-1.html">Previous</A>
<A HREF="Cipe+Masq.html#toc2">Contents</A>
<HR>
<H2><A NAME="s2">2. Firewall Configuration</A></H2>

<P>This howto assumes you already configured your kernel to support IP 
masquerade.  See references below for information on configuring 
your kernel for a linux firewall.
<P>
<H2><A NAME="ss2.1">2.1 VPN Network Diagram</A>
</H2>

<P>This setup uses a star/hub configuration.  It will set up a cipe 
connection from Machine A to Machine B and another from Machine A 
to Machine C. 
<P>
<BLOCKQUOTE><CODE>
<HR>
<PRE>

                   Machine A 
                eth0: 192.168.1.1 
                eth1: real ip 1 
               /               \ 
              /                 \ 
     Machine B                  Machine C 
   eth0: 192.168.2.1           eth0:192.168.3.1 
   eth1: real ip 2             eth1: real ip 3 
</PRE>
<HR>
</CODE></BLOCKQUOTE>
<P>
<H2><A NAME="ss2.2">2.2 A little reference </A>
</H2>

<P>
<BLOCKQUOTE><CODE>
<HR>
<PRE>

eth0 is the local network (fake address) 
eth1 is the internet address (real address) 

Port A is any valid port you would like to choose 
Port B is any other valid port you would like to choose 

Key A is any valid key you would like to choose  (read cipe doc for info) 
Key B is any valid key you would like to choose 
</PRE>
<HR>
</CODE></BLOCKQUOTE>
<P>
<H2><A NAME="ss2.3">2.3 Additional notes about scripts and the VPN</A>
</H2>

<P>The ip-up scripts currently only allow class c traffic through the cipe 
interface.  If you wish for machine B to communicate with Machine C then 
you will need to change the appropriate ip-up and ip-down scripts. 
Specifically, you need to change the ptpaddr and myaddr netmasks.  There 
are two ip-up scripts, one for ipchains and one for ipfwadm.  Same with the 
ip-down scripts.  Change the appropriate incoming, outgoing, and forwarding 
cipe interface firewall rules netmask from /24 to /16. Any cipe firewall
rule changes you make in ip-up for ipfwadm, make sure the ip-down script reflects 
the change so it will be properly removed from the list when the interface 
goes down.  For the ipchains file, anything added in a chain does not need 
ip-down reflection since ip-down will flush all the rules in the user
defined 
chain. 
<P>You will also need to uncomment the network route in the rc.cipe for Machine
B and C that adds each others network to their route table.
<P>
<P>
<HR>
<A HREF="Cipe+Masq-3.html">Next</A>
<A HREF="Cipe+Masq-1.html">Previous</A>
<A HREF="Cipe+Masq.html#toc2">Contents</A>
</BODY>
</HTML>