Sophie

Sophie

distrib > Mandriva > mes5 > x86_64 > by-pkgid > 45723c51178a73df679c2a8284d8eeff > files > 12

shorewall-doc-4.0.15-0.2mdvmes5.noarch.rpm

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Generic Tunnels</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="GenericTunnels"></a>Generic Tunnels</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2001, 2002, 2003, 2005 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id272876"></a><p>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      “<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
      License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Bridged">Bridging two Masqueraded Networks</a></span></dt></dl></div><p>Shorewall includes built-in support for a wide range of VPN solutions.
  If you have need for a tunnel type that does not have explicit support, you
  can generally describe the tunneling software using “<span class="quote">generic
  tunnels</span>”.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Bridged"></a>Bridging two Masqueraded Networks</h2></div></div></div><p>Suppose that we have the following situation:</p><div><img src="images/TwoNets1.png" /></div><p>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
    accomplished through use of the /etc/shorewall/tunnels file, the
    /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
    included with Shorewall.</p><p>Suppose that you have tunneling software that uses two different
    protocols:</p><div class="orderedlist"><ol type="a"><li><p>TCP port 1071</p></li><li><p>GRE (Protocol 47)</p></li><li><p>The tunnel interface on system A is “<span class="quote">tun0</span>” and the
        tunnel interface on system B is also “<span class="quote">tun0</span>”.</p></li></ol></div><p>On each firewall, you will need to declare a zone to represent the
    remote subnet. We'll assume that this zone is called “<span class="quote">vpn</span>”
    and declare it in /etc/shorewall/zones on both systems as follows.</p><pre class="programlisting">#ZONE        TYPE          OPTIONS
vpn          ipv4</pre><p>On system A, the 10.0.0.0/8 will comprise the <span class="bold"><strong>vpn</strong></span> zone. In /etc/shorewall/interfaces:</p><pre class="programlisting">#ZONE      INTERFACE       BROADCAST        OPTIONS
vpn        tun0            10.255.255.255</pre><p>In /etc/shorewall/tunnels on system A, we need the following:</p><pre class="programlisting">#TYPE            ZONE           GATEWAY         GATEWAY ZONE
generic:tcp:1071 net            134.28.54.2
generic:47       net            134.28.54.2</pre><p>These entries in /etc/shorewall/tunnels, opens the firewall so that
    TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will
    be accepted to/from the remote gateway.</p><pre class="programlisting">#ZONE        INTERFACE        BROADCAST         OPTIONS
vpn          tun0             192.168.1.255</pre><p>In /etc/shorewall/tunnels on system B, we have:</p><pre class="programlisting">#TYPE            ZONE           GATEWAY         GATEWAY ZONE
generic:tcp:1071 net            206.191.148.9
generic:47       net            206.191.148.9</pre><p>You will need to allow traffic between the “<span class="quote">vpn</span>” zone
    and the “<span class="quote">loc</span>” zone on both systems -- if you simply want to
    admit all traffic in both directions, you can use the policy file:</p><pre class="programlisting">#SOURCE      DEST        POLICY        LOG LEVEL
loc          vpn         ACCEPT
vpn          loc         ACCEPT</pre><p>On both systems, restart Shorewall and start your VPN software on
    each system. The systems in the two masqueraded subnetworks can now talk
    to each other</p></div></div></body></html>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional