<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Generic Tunnels</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="GenericTunnels"></a>Generic Tunnels</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2001, 2002, 2003, 2005 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id272876"></a><p>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Bridged">Bridging two Masqueraded Networks</a></span></dt></dl></div><p>Shorewall includes built-in support for a wide range of VPN solutions. If you have need for a tunnel type that does not have explicit support, you can generally describe the tunneling software using “<span class="quote">generic tunnels</span>”.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Bridged"></a>Bridging two Masqueraded Networks</h2></div></div></div><p>Suppose that we have the following situation:</p><div><img src="images/TwoNets1.png" /></div><p>We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is accomplished through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is included with Shorewall.</p><p>Suppose that you have tunneling software that uses two different protocols:</p><div class="orderedlist"><ol type="a"><li><p>TCP port 1071</p></li><li><p>GRE (Protocol 47)</p></li><li><p>The tunnel interface on system A is “<span class="quote">tun0</span>” and the tunnel interface on system B is also “<span class="quote">tun0</span>”.</p></li></ol></div><p>On each firewall, you will need to declare a zone to represent the remote subnet. We'll assume that this zone is called “<span class="quote">vpn</span>” and declare it in /etc/shorewall/zones on both systems as follows.</p><pre class="programlisting">#ZONE TYPE OPTIONS vpn ipv4</pre><p>On system A, the 10.0.0.0/8 will comprise the <span class="bold"><strong>vpn</strong></span> zone. In /etc/shorewall/interfaces:</p><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS vpn tun0 10.255.255.255</pre><p>In /etc/shorewall/tunnels on system A, we need the following:</p><pre class="programlisting">#TYPE ZONE GATEWAY GATEWAY ZONE generic:tcp:1071 net 134.28.54.2 generic:47 net 134.28.54.2</pre><p>These entries in /etc/shorewall/tunnels, opens the firewall so that TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will be accepted to/from the remote gateway.</p><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS vpn tun0 192.168.1.255</pre><p>In /etc/shorewall/tunnels on system B, we have:</p><pre class="programlisting">#TYPE ZONE GATEWAY GATEWAY ZONE generic:tcp:1071 net 206.191.148.9 generic:47 net 206.191.148.9</pre><p>You will need to allow traffic between the “<span class="quote">vpn</span>” zone and the “<span class="quote">loc</span>” zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file:</p><pre class="programlisting">#SOURCE DEST POLICY LOG LEVEL loc vpn ACCEPT vpn loc ACCEPT</pre><p>On both systems, restart Shorewall and start your VPN software on each system. The systems in the two masqueraded subnetworks can now talk to each other</p></div></div></body></html>