<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9"> <TITLE>The Linux Cipe+Masquerading mini-HOWTO: Firewall Configuration</TITLE> <LINK HREF="Cipe+Masq-3.html" REL=next> <LINK HREF="Cipe+Masq-1.html" REL=previous> <LINK HREF="Cipe+Masq.html#toc2" REL=contents> </HEAD> <BODY> <A HREF="Cipe+Masq-3.html">Next</A> <A HREF="Cipe+Masq-1.html">Previous</A> <A HREF="Cipe+Masq.html#toc2">Contents</A> <HR> <H2><A NAME="s2">2. Firewall Configuration</A></H2> <P>This howto assumes you already configured your kernel to support IP masquerade. See references below for information on configuring your kernel for a linux firewall. <P> <H2><A NAME="ss2.1">2.1 VPN Network Diagram</A> </H2> <P>This setup uses a star/hub configuration. It will set up a cipe connection from Machine A to Machine B and another from Machine A to Machine C. <P> <BLOCKQUOTE><CODE> <HR> <PRE> Machine A eth0: 192.168.1.1 eth1: real ip 1 / \ / \ Machine B Machine C eth0: 192.168.2.1 eth0:192.168.3.1 eth1: real ip 2 eth1: real ip 3 </PRE> <HR> </CODE></BLOCKQUOTE> <P> <H2><A NAME="ss2.2">2.2 A little reference </A> </H2> <P> <BLOCKQUOTE><CODE> <HR> <PRE> eth0 is the local network (fake address) eth1 is the internet address (real address) Port A is any valid port you would like to choose Port B is any other valid port you would like to choose Key A is any valid key you would like to choose (read cipe doc for info) Key B is any valid key you would like to choose </PRE> <HR> </CODE></BLOCKQUOTE> <P> <H2><A NAME="ss2.3">2.3 Additional notes about scripts and the VPN</A> </H2> <P>The ip-up scripts currently only allow class c traffic through the cipe interface. If you wish for machine B to communicate with Machine C then you will need to change the appropriate ip-up and ip-down scripts. Specifically, you need to change the ptpaddr and myaddr netmasks. There are two ip-up scripts, one for ipchains and one for ipfwadm. Same with the ip-down scripts. Change the appropriate incoming, outgoing, and forwarding cipe interface firewall rules netmask from /24 to /16. Any cipe firewall rule changes you make in ip-up for ipfwadm, make sure the ip-down script reflects the change so it will be properly removed from the list when the interface goes down. For the ipchains file, anything added in a chain does not need ip-down reflection since ip-down will flush all the rules in the user defined chain. <P>You will also need to uncomment the network route in the rc.cipe for Machine B and C that adds each others network to their route table. <P> <P> <HR> <A HREF="Cipe+Masq-3.html">Next</A> <A HREF="Cipe+Masq-1.html">Previous</A> <A HREF="Cipe+Masq.html#toc2">Contents</A> </BODY> </HTML>