Next Previous Contents

2. Firewall Configuration

This howto assumes you already configured your kernel to support IP masquerade. See references below for information on configuring your kernel for a linux firewall.

2.1 VPN Network Diagram

This setup uses a star/hub configuration. It will set up a cipe connection from Machine A to Machine B and another from Machine A to Machine C.



                   Machine A 
                eth0: 192.168.1.1 
                eth1: real ip 1 
               /               \ 
              /                 \ 
     Machine B                  Machine C 
   eth0: 192.168.2.1           eth0:192.168.3.1 
   eth1: real ip 2             eth1: real ip 3 

2.2 A little reference



eth0 is the local network (fake address) 
eth1 is the internet address (real address) 

Port A is any valid port you would like to choose 
Port B is any other valid port you would like to choose 

Key A is any valid key you would like to choose  (read cipe doc for info) 
Key B is any valid key you would like to choose 

2.3 Additional notes about scripts and the VPN

The ip-up scripts currently only allow class c traffic through the cipe interface. If you wish for machine B to communicate with Machine C then you will need to change the appropriate ip-up and ip-down scripts. Specifically, you need to change the ptpaddr and myaddr netmasks. There are two ip-up scripts, one for ipchains and one for ipfwadm. Same with the ip-down scripts. Change the appropriate incoming, outgoing, and forwarding cipe interface firewall rules netmask from /24 to /16. Any cipe firewall rule changes you make in ip-up for ipfwadm, make sure the ip-down script reflects the change so it will be properly removed from the list when the interface goes down. For the ipchains file, anything added in a chain does not need ip-down reflection since ip-down will flush all the rules in the user defined chain.

You will also need to uncomment the network route in the rc.cipe for Machine B and C that adds each others network to their route table.


Next Previous Contents

Hosting by: Hurra Communications Ltd.
Generated: 2007-01-26 17:58:17