The Linux Cipe+Masquerading mini-HOWTO
Anthony Ciaravalo, acj@home.com
v0.4, 28 October 1998
1. Introduction
This is the Linux Cipe+Masquerading mini-HOWTO. It explains how to
setup a
Virtual Private Network between your LAN and other LAN's using cipe
through
linux masquerading firewall machines.
1.1. Copyright statement
(C)opyright 1998 Anthony Ciaravalo, acj@home.com
Unless otherwise stated, Linux HOWTO documents are copyrighted by their
respective authors. Linux HOWTO documents may be reproduced and distributed
in whole or in part, in any medium physical or electronic, as long
as
this copyright notice is retained on all copies. Commercial redistribution
is allowed and encouraged; however, the author would like to be notified
of
any such distributions.
All translations, derivative works, or aggregate works
incorporating any Linux HOWTO documents must be covered under this
copyright notice. That is, you may not produce a derivative work
from a HOWTO and impose additional restrictions on its
distribution. Exceptions to these rules may be granted under
certain conditions; please contact the Linux HOWTO coordinator at
the address given below.
If you have questions, please contact Greg Hankins, the Linux HOWTO
coordinator, at
gregh@sunsite.unc.edu Finger for phone number and snail mail address.
1.2 Disclaimer
Use of the information and examples in this document is at your own risk.
There are many security issues involved when connecting networks
across
the internet; and just being connected internet period. Even
though information
is encrypted, an improperly configured firewall may result in a security
breach. Precautions can be taken to protect your cipe connections,
but it
does not guarantee 100% security. The author does not guarantee
the
information provided in this document will provide a secure networking
environment.
1.3. Feedback
Send questions, comments, suggestions, or corrections to acj@home.net.
1.4. New versions of this document.
New versions will posted to the cipe mailing list and emailed to the Linux
HOWTO coordinator to be archived in the Linux HOWTO collection.
1.5 Getting the files
This document was written based on version 1.0.0 of cipe. The file
can be retrieved
from http://sites.inka.de/~bigred/sw/cipe-1.0.0.tar.gz.
2. Configuring the Machines
2.1 Firewall Configuration
This howto assumes you already configured your kernel to support IP
masquerade and you already have a working firewall configuration.
This
howto does not explain how to setup a masquerading firewall.
It only shows
examples of the configuration rules that will allow a cipe connection
to
properly function when using a masquerading firewall. See references
below
for information on configuring a linux IP masquerade firewall.
2.2. The Star/Hub Configuration
This setup uses a star/hub configuration, so if machine A is down
then machine B and C will not be able to communicate. If that
is a problem,
then you might want to consider adding a cipe connection between B
and C.
This will start to get a little hairy when connecting a lot of networks
together. This document only shows examples for the star/hub
configuration.
Machine A
eth0: 10.10.1.1
eth1: real ip 1
/
\
/
\
Machine B
Machine C
eth0: 10.10.2.1
eth0:10.10.3.1
eth1: real ip 2
eth1: real ip 3
2.3. A little reference
eth0 is the local network (fake address)
eth1 is the internet address (real address)
Port A is any valid port you would like to choose
Port B is any other valid port you would like to choose
Key A is any valid key you would like to choose (read cipe doc
for info)
Key B is any valid key you would like to choose
2.4. Machine A Configuration
2.4a. /etc/cipe/ip-up
#a trimmed down version of the sample ip-up that comes with the distribution
#!/bin/sh
umask 022
PATH=/sbin:/bin:/usr/sbin:/usr/bin
echo "UP $*" >> /tmp/cipe
echo $3 > /var/run/$1.pid
#i prefer to keep a separate file for setting up the routing...see
below.
2.4b. /etc/cipe/options.machineB
#device name
device cip3b0
# the peers internal (fake) ip address
ptpaddr 10.10.2.1
# my cipe (fake) ip address
ipaddr 10.10.1.1
# my real ip address and cipe port
me
(real ip 1):(port A)
# the peers ip address and cipe port
peer
(real ip 2):(port A)
#my unique 128 bit key that noone else should ever know except my peer
key
(Key A)
2.4c. /etc/cipe/options.machineC
#device name
device cip3b1
# the peers internal (fake) ip address
ptpaddr 10.10.3.1
# my cipe (fake) ip address
ipaddr 10.10.1.1
# my real ip address and cipe port
me
(real ip 1):(port B)
# the peers ip address and cipe port
peer
(real ip 3):(port B)
#my unique 128 bit key that noone else should ever know except my peer
key
(Key B)
2.4d. /etc/cipe/setroute
#!/bin/sh
#separate file for setting routing table
#set up route table to Machine B
/sbin/route add -host 10.10.2.1 dev cip3b0
/sbin/route add -net 10.10.2.0 netmask 255.255.255.0 gw 10.10.2.1
#set up route table to Machine C
/sbin/route add -host 10.10.3.1 dev cip3b1
/sbin/route add -net 10.10.3.0 netmask 255.255.255.0 gw 10.10.3.1
2.4e. /etc/rc.d/rc.local
echo Configuring VPN network
/usr/local/sbin/ciped -o /etc/cipe/options.machineB
/usr/local/sbin/ciped -o /etc/cipe/options.machineC
/etc/cipe/setroute
2.4f. Firewall Rules
#flush all incoming firewall rules and set default policy to deny
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -p deny
#allow incoming packets to your network via the cipe links
/sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
/sbin/ipfwadm -I -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your incoming rules here
#flush all outgoing firewall rules and set default policy to deny
/sbin/ipfwadm -O -f
/sbin/ipfwadm -O -p deny
#allow outgoing packets to the other networks via the cipe links
/sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
/sbin/ipfwadm -O -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your outgoing rules here
#flush all forwarding firewall rules and set default policy to deny
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
#allow packets to be forwarded to the other networks via the cipe links
/sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
/sbin/ipfwadm -F -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16
#allow forwarding from real ip of this machine to the real ip address
of the other machines
/sbin/ipfwadm -F -a accept -W eth1 -S (real ip 1) -D (real ip 2)
/sbin/ipfwadm -F -a accept -W eth1 -S (real ip 1) -D (real ip 3)
#allow forwarding to the other networks via the local interface
(fake ip address)
/sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your forwarding rules here
2.4g. Gateway
All machines on network 10.10.1.0 must have 10.10.1.1 as gateway.
If you
don't it will not work.
2.5. Machine B Configuration
2.5a. /etc/cipe/ip-up
#a trimmed down version of the sample ip-up that comes with the distribution
#!/bin/sh
umask 022
PATH=/sbin:/bin:/usr/sbin:/usr/bin
echo "UP $*" >> /tmp/cipe
echo $3 > /var/run/$1.pid
#i prefer to keep a separate file for setting up the routing...see
below.
2.5b. /etc/cipe/options.machineA
#device name
device cip3b0
# the peers internal (fake) ip address
ptpaddr 10.10.1.1
# my cipe (fake) ip address
ipaddr 10.10.2.1
# my real ip address and cipe port
me
(real ip 1):(port A)
# the peers ip address and cipe port
peer
(real ip 2):(port A)
#my unique 128 bit key that noone else should ever know except my peer
key
(Key A)
2.5c. /etc/cipe/setroute
#!/bin/sh
#separate file for setting routing table
#set up route table to Machine A
/sbin/route add -host 10.10.1.1 dev cip3b0
/sbin/route add -net 10.10.1.0 netmask 255.255.255.0 gw 10.10.1.1
2.5d. /etc/rc.d/rc.local
echo Configuring VPN network
/usr/local/sbin/ciped -o /etc/cipe/options.machineA
/etc/cipe/setroute
2.5e. Firewall Rules
#flush all incoming firewall rules and set default policy to deny
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -p deny
#allow incoming packets to your network via the cipe link
/sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your incoming rules here
#flush all outgoing firewall rules and set default policy to deny
/sbin/ipfwadm -O -f
/sbin/ipfwadm -O -p deny
#allow outgoing packets to your network via the cipe link
/sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your outgoing rules here
#flush all forwarding firewall rules and set default policy to deny
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
#allow packets to be forwarded to the other networks via the cipe links
/sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
#allow forwarding from real ip of this machine to the real ip address
of the other machines
/sbin/ipfwadm -F -a accept -W eth1 -S (real ip 2) -D (real ip 1)
#allow packets to be forwarded to the other networks via the local
interface (fake ip address)
/sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your forwarding rules here
2.5f. Gateway
All machines on network 10.10.2.0 must have 10.10.2.1 as gateway.
If you
don't it will not work.
2.6. Machine C Configuration
2.6a. /etc/cipe/ip-up
#a trimmed down version of the sample ip-up that comes with the distribution
#!/bin/sh
umask 022
PATH=/sbin:/bin:/usr/sbin:/usr/bin
echo "UP $*" >> /tmp/cipe
echo $3 > /var/run/$1.pid
#i prefer to keep a separate file for setting up the routing...see
below.
2.6b. /etc/cipe/options.machineA
#device name
device cip3b0
# the peers internal (fake) ip address
ptpaddr 10.10.1.1
# my cipe (fake) ip address
ipaddr 10.10.3.1
# my real ip address and cipe port
me
(real ip 3):(port B)
# the peers ip address and cipe port
peer
(real ip 1):(port B)
#my unique 128 bit key that noone else should ever know except my peer
key
(Key B)
2.6c. /etc/cipe/setroute
#!/bin/sh
#separate file for setting routing table
#set up route table to Machine A
/sbin/route add -host 10.10.1.1 dev cip3b0
/sbin/route add -net 10.10.1.0 netmask 255.255.255.0 gw 10.10.1.1
2.6d. /etc/rc.d/rc.local
echo Configuring VPN network
/usr/local/sbin/ciped -o /etc/cipe/options.machineA
/etc/cipe/setroute
2.6e. Firewall Rules
#flush all incoming firewall rules and set default policy to deny
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -p deny
#allow incoming packets to your network via the cipe link
/sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your incoming rules here
#flush all outgoing firewall rules and set default policy to deny
/sbin/ipfwadm -O -f
/sbin/ipfwadm -O -p deny
#allow outgoing packets to your network via the cipe link
/sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your outgoing rules here
#flush all forwarding firewall rules and set default policy to deny
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
#allow packets to be forwarded to the other networks via the cipe links
#this machine to the real ip address of the other machines
/sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
#allow forwarding from real ip of this machine to the real ip address
of the other machine
/sbin/ipfwadm -F -a accept -W eth1 -S (real ip 3) -D (real ip 1)
#allow packets to be forwarded to the other networks via the local
interface (fake ip address)
/sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your forwarding rules here
2.6f. Gateway
All machines on network 10.10.2.0 must have 10.10.2.1 as gateway.
If you
don't it will not work.
3. Starting it up
Manually run the commands added to rc.local on each machine.
4. Connecting to the WAN.
At this point your WAN should be connected. Try pinging machines
on the
other networks. Now the next step is to get your networks to
see each other
and access each other using SAMBA browsing. A few hints: lmhosts
or wins
server is required, trusted domains for NT. I have set these
up, but that
is not the purpose of this document (at least not for now).
5. References
5.1. Web Sites
Cipe Home Page
http://sites.inka.de/~bigred/devel/cipe.html
Masq Home Page
http://ipmasq.home.ml.org
Samba Home Page
http://samba.anu.edu.au
Linux HQ http://www.linuxhq.com
---great site for lots of linux info
5.2. Documentation
cipe.info: info file included with cipe distribution
Firewall HOWTO, by Mark Grennan <markg@netplus.net>
IP Masquerade mini-HOWTO, by Ambrose Au <ambrose@writeme.com>