

   The Linux Cipe+Masquerading mini-HOWTO
   Anthony Ciaravalo, acj@home.com
   v0.4, 28 October 1998

   1. ²
   
   oOLinux Cipe+Masquerading mini-HOWTO. pϥcipeg
   linux masquerading firewallDAӫإߤ@Ӥzϰ(LAN)PL
   ϰp(Virtual Private Network)C
   
   1.1. vn
   
   (C)opyright 1998 Anthony Ciaravalo, acj@home.com
   
   DSOnA_hLinux HOWTO󪺪vOk@̩ҦCunOҪv
   O@ALinux HOWTOHqlιCӶi槹γƻsB
   Cӷ~ƪsOQ\AƦܥ[HyFeO|@̡C
   
   Ҧ۩Linux HOWTO]]A½ĶBsBJ㵥^]to
   vnC]NOAHҤb󪺴W[ѨLCDbYǯS
   wpUA~oHίSҤ\FԱлPLinux HOWTO coordinatorߡAp
   zC
   
   pGzðݡAwﬢLinux HOWTO coordinator Greg Hankins AziH
   d(finger)oӱbHopqܩζla}C
   
   1.2 dӾn
   
   ϥΦ󪺽dҩθTAۦӾ᭷ICbgInternetsW
   ɡAi|lͳ\hwʪĳDCYϬOzTwggL[KAT
   firewall]wM|ɭPwW_Ccipe connectionznSOp
   ԷVAMӡAMLkO100HwC@̨äOҦbo󤤩ҴѪ
   TPɤ]ѤF@ӦwҡC
   
   1.3. ϥΦ^
   
   pGzDBĳB󥿡AεסAwzgH acj@home.net.
   
   1.4. 󤧳̷s
   
   sN|o cipe mailing list åBemail  Linux HOWTO
   coordinator åBɦ Linux HOWTOC
   
   1.5 oɮ
   
   oOw cipe version 1.0.0 ҼgCziHq
   [1]http://sites.inka.de/~bigred/sw/cipe-1.0.0.tar.gz oɮסC
   
   2. ]w
   
   2.1 Firewall ]w
   
   o󰲳]z kernel wg]w䴩 IP masquerade åBwg`
   firewall ]wC夤äph]w masquerading firewallAӥu
   г]wWhdҡAHbϥ masquerading firewall ɡApcipe
   `B@CziHbѦҤ󤤧p]w linux IP masquerade
   firewall.
   
   2.2. The Star/Hub ]w
   
   oӳ]wϥ star/hub [cA]pG machine A B@Amachine B
   M C NLksuCziHҼ{b machine B M C W[@ cipe
   connection ӸѨMoӰDCӷzN\hsb@_ɭԡAN|}l
   oMsbCouФF star/hub ]wdҡC
   

                         Machine A
                         eth0: 10.10.1.1
                         eth1: real ip 1
                      /                   \
                     /                     \
               Machine B                 Machine C
               eth0: 10.10.2.1           eth0:10.10.3.1
               eth1: real ip 2           eth1: real ip 3

   2.3. WѦ
   
   eth0 O local network (fake address)
   eth1 O internet address (real address)
   
   Port A OziHܪĳqT
   Port B OlziHܪĳqT
   
   Key A OziHܪ key (Աо\Ū cipe )
   Key B OziHܪ key
   
   2.4. Machine A ]w
   
   2.4a. /etc/cipe/ip-up
   

   #a trimmed down version of the sample ip-up that comes with the
   distribution
   #!/bin/sh
   umask 022
   PATH=/sbin:/bin:/usr/sbin:/usr/bin
   echo "UP $*" >> /tmp/cipe
   echo $3 > /var/run/$1.pid
   #̶ɦVb]w routing ɤPɮרӳ]AԭzpUC

   2.4b. /etc/cipe/options.machineB
   

   #]ƦW
   device          cip3b0
   # the peers internal (fake) ip address
   ptpaddr         10.10.2.1
   # my cipe (fake) ip address
   ipaddr          10.10.1.1
   # my real ip address and cipe port
   me              (real ip 1):(port A)
   # the peers ip address and cipe port
   peer            (real ip 2):(port A)
   #128 줸[K keyAHOK
   key             (Key A)

   2.4c. /etc/cipe/options.machineC
   

   #]ƦW
   device          cip3b1
   # the peers internal (fake) ip address
   ptpaddr         10.10.3.1
   # my cipe (fake) ip address
   ipaddr          10.10.1.1
   # my real ip address and cipe port
   me              (real ip 1):(port B)
   # the peers ip address and cipe port
   peer            (real ip 3):(port B)
   #128 줸[K keyAHOK
   key             (Key B)

   2.4d. /etc/cipe/setroute
   

   #!/bin/sh
   #]w routing table ɮ
   #]w Machine B  routing table
   /sbin/route add -host 10.10.2.1 dev cip3b0
   /sbin/route add -net 10.10.2.0 netmask 255.255.255.0 gw 10.10.2.1
   #]w Machine C  routing table
   /sbin/route add -host 10.10.3.1 dev cip3b1
   /sbin/route add -net 10.10.3.0 netmask 255.255.255.0 gw 10.10.3.1

   2.4e. /etc/rc.d/rc.local
   

   echo Configuring VPN network
   /usr/local/sbin/ciped -o /etc/cipe/options.machineB
   /usr/local/sbin/ciped -o /etc/cipe/options.machineC
   /etc/cipe/setroute

   2.4f. Firewall Wh
   

   #hҦ incoming firewall WhAñNw]ȳ] deny
   /sbin/ipfwadm -I -f
   /sbin/ipfwadm -I -p deny
   #\Ҧsiʥ] (packets) g cipe links eܱz
   /sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   /sbin/ipfwadm -I -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16
   #ziHAW[@B~ʥ]iJWh

   #hҦ outgoing firewall WhAñNw]ȳ] deny
   /sbin/ipfwadm -O -f
   /sbin/ipfwadm -O -p deny
   #\ҦeXʥ] (packets) g cipe links eܨL
   /sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   /sbin/ipfwadm -O -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16
   #ziHAW[@B~ʥ]eXWh

   #hҦ forwarding firewall WhAñNw]ȳ] deny
   /sbin/ipfwadm -F -f
   /sbin/ipfwadm -F -p deny
   #\Ҧeʥ] (packets) g cipe links eܨL
   /sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   /sbin/ipfwadm -F -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16
   #\qoOu ip forward Lu ip
   /sbin/ipfwadm -F -a accept -W eth1 -S (real ip 1) -D (real ip 2)
   /sbin/ipfwadm -F -a accept -W eth1 -S (real ip 1) -D (real ip 3)
   #\g local interface (fake ip address) eLW
   /sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #ziHAW[@B~ʥ]eWh

   2.4g. qTh (Gateway)
   
   Ҧb 10.10.1.0 WH 10.10.1.1 ӷ@qThApGzO
   p]wANLk`B@C
   
   2.5. Machine B ]w
   
   2.5a. /etc/cipe/ip-up
   

   #a trimmed down version of the sample ip-up that comes with the
   distribution
   #!/bin/sh
   umask 022
   PATH=/sbin:/bin:/usr/sbin:/usr/bin
   echo "UP $*" >> /tmp/cipe
   echo $3 > /var/run/$1.pid
   #̶ɦVb]w routing ɤPɮרӳ]AԭzpUC

   2.5b. /etc/cipe/options.machineA
   
   #]ƦW
   device          cip3b0
   # the peers internal (fake) ip address
   ptpaddr         10.10.1.1
   # my cipe (fake) ip address
   ipaddr          10.10.2.1
   # my real ip address and cipe port
   me              (real ip 1):(port A)
   # the peers ip address and cipe port
   peer            (real ip 2):(port A)
   #128 줸[K keyAHOK
   key             (Key A)

   2.5c. /etc/cipe/setroute
   

   #!/bin/sh
   #]w routing table ɮ
   #]w Machine A  routing table
   /sbin/route add -host 10.10.1.1 dev cip3b0
   /sbin/route add -net 10.10.1.0 netmask 255.255.255.0 gw 10.10.1.1

   2.5d. /etc/rc.d/rc.local
   

   echo Configuring VPN network
   /usr/local/sbin/ciped -o /etc/cipe/options.machineA
   /etc/cipe/setroute

   2.5e. Firewall Wh
   
   (HUаѷ 2.4f ѻ)
   
   #flush all incoming firewall rules and set default policy to deny
   /sbin/ipfwadm -I -f
   /sbin/ipfwadm -I -p deny
   #allow incoming packets to your network via the cipe link
   /sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #add rest of your incoming rules here

   #flush all outgoing firewall rules and set default policy to deny
   /sbin/ipfwadm -O -f
   /sbin/ipfwadm -O -p deny
   #allow outgoing packets to your network via the cipe link
   /sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #add rest of your outgoing rules here

   #flush all forwarding firewall rules and set default policy to deny
   /sbin/ipfwadm -F -f
   /sbin/ipfwadm -F -p deny
   #allow packets to be forwarded to the other networks via the cipe
   links
   /sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #allow forwarding from real ip of this machine to the real ip address
   of the other machines
   /sbin/ipfwadm -F -a accept -W eth1 -S (real ip 2) -D (real ip 1)
   #allow packets to be forwarded to the other networks via the local
   interface (fake ip address)
   /sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #add rest of your forwarding rules here

   2.5f. qTh
   
   Ҧb 10.10.2.0 WH 10.10.2.1 ӷ@qThApGzO
   p]wANLk`B@C
   
   2.6. Machine C ]w
   
   2.6a. /etc/cipe/ip-up
   

   #a trimmed down version of the sample ip-up that comes with the
   distribution
   #!/bin/sh
   umask 022
   PATH=/sbin:/bin:/usr/sbin:/usr/bin
   echo "UP $*" >> /tmp/cipe
   echo $3 > /var/run/$1.pid
   #̶ɦVb]w routing ɤPɮרӳ]AԭzpUC

   2.6b. /etc/cipe/options.machineA
   

   #]ƦW
   device          cip3b0
   # the peers internal (fake) ip address
   ptpaddr         10.10.1.1
   # my cipe (fake) ip address
   ipaddr          10.10.3.1
   # my real ip address and cipe port
   me              (real ip 3):(port B)
   # the peers ip address and cipe port
   peer            (real ip 1):(port B)
   #128 줸[K keyAHOK
   key             (Key B)

   2.6c. /etc/cipe/setroute
   

   #!/bin/sh
   #]w routing table ɮ
   #]w Machine A  routing table
   /sbin/route add -host 10.10.1.1 dev cip3b0
   /sbin/route add -net 10.10.1.0 netmask 255.255.255.0 gw 10.10.1.1

   2.6d. /etc/rc.d/rc.local
   

   echo Configuring VPN network
   /usr/local/sbin/ciped -o /etc/cipe/options.machineA
   /etc/cipe/setroute

   2.6e. Firewall Rules
   
   (HUаѷ 2.4f ѻ)
   

   #flush all incoming firewall rules and set default policy to deny
   /sbin/ipfwadm -I -f
   /sbin/ipfwadm -I -p deny
   #allow incoming packets to your network via the cipe link
   /sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #add rest of your incoming rules here

   #flush all outgoing firewall rules and set default policy to deny
   /sbin/ipfwadm -O -f
   /sbin/ipfwadm -O -p deny
   #allow outgoing packets to your network via the cipe link
   /sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #add rest of your outgoing rules here

   #flush all forwarding firewall rules and set default policy to deny
   /sbin/ipfwadm -F -f
   /sbin/ipfwadm -F -p deny
   #allow packets to be forwarded to the other networks via the cipe
   links
   #this machine to the real ip address of the other machines
   /sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #allow forwarding from real ip of this machine to the real ip address
   of the other machine
   /sbin/ipfwadm -F -a accept -W eth1 -S (real ip 3) -D (real ip 1)
   #allow packets to be forwarded to the other networks via the local
   interface (fake ip address)
   /sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #add rest of your forwarding rules here

   2.6f. qTh
   
   Ҧb 10.10.3.0 WH 10.10.3.1 ӷ@qThApGzO
   p]wANLk`B@C
   
   3. Ұ
   
   bCOWʦaQW[ rc.local O
   
   4. s WAN.
   
   ]w즹Az WANӯQsCziHյۥh pingLW
   CӤU@ӨBJAYOzH SAMBA өۦsC@Ǥp
   ܡG lmhosts  wins serverOASOOb NT UC̤wga]w
   \LAbg峹гoӳC
   
   5. ѦҤG
   
   5.1. Web }
   

   Cipe HomePage     [2]http://sites.inka.de/~bigred/devel/cipe.html
   Masq Home Page    [3]http://ipmasq.home.ml.org
   Samba Home Page   [4]http://samba.anu.edu.au
   Linux HQ          [5]http://www.linuxhq.com --- @LinuxT

   5.2. 
   
   cipe.info: ]tcipenMTɮ Firewall HOWTO,Mark
   Grennan ҵ IP Masquerade mini-HOWTO, Ambrose Au ҵ
   
   ѦҡG
   1. http://sites.inka.de/~bigred/sw/cipe-1.0.0.tar.gz
   2. http://sites.inka.de/~bigred/devel/cipe.html
   3. http://ipmasq.home.ml.org/
   4. http://samba.anu.edu.au/
   5. http://www.linuxhq.com/

References

   1. http://sites.inka.de/~bigred/sw/cipe-1.0.0.tar.gz
   2. http://sites.inka.de/~bigred/devel/cipe.html
   3. http://ipmasq.home.ml.org/
   4. http://samba.anu.edu.au/
   5. http://www.linuxhq.com/
