|Subject:||Re: Cipe and advanced routing|
|From:||errzyy3i,AT,umail,DOT,furryterror,DOT,org (Zygo Blaxell)|
|Date:||Mon, 19 Feb 2001 01:58:36 +0100|
In article <qww3ddfllln.fsf,AT,decibel,DOT,fi,DOT,muni,DOT,cz>, Petr Konecny <pekon,AT,informatics,DOT,muni,DOT,cz> wrote: >I have a laptop that has a permanent address A in network N. There is no >firewall between N and the Internet. > >I would like most traffic between the laptop and network A to go through >CIPE tunnel. I have access to a computer G on network N, that can be >used as a proxy/gateway/router. OK, so the laptop has an address A on N, but is not physically connected directly to N? This is important. ;-) >So far I have done this: > >there is a cipe tunnel between laptop and G, local address (ipaddr) of >the tunnel on laptop is its address A in network N, remote (ptpaddr) is >192.168.253.1. > >G works as an ARP proxy for address A on interface connected to N, it >does IP forwarding. > >Laptop uses 192.168.253.1 as a gateway for network N, except for >computer G, which uses laptop's default gateway. Both computers use >Linux 2.4.1-ac14 and cipe 1.4.5 with blowfish. Good so far... >This works fine, but of course there are some glitches: >1. the traffic that goes directly to G is not sent through the tunnel Put this line in /etc/hosts on the laptop: 192.168.253.1 G This means that your laptop will use CIPE when you try to 'telnet G' or 'ping G' or 'w3m http://G/...'. Also make sure your /etc/nsswitch.conf lists "files" before "dns" for "hosts." You probably want to remove any nisplus or compat entries too, but that is not required. >2. it encrypts everything >I do not want ssh connections to use CIPE and to encrypt the >communication to G, i.e. the only packets going to G over the Internet >should be UDP packets of CIPE and SSH connections. Put these lines in /etc/ssh/ssh_config on the laptop: Host G HostName G1.G2.G3.G4 where "G1.G2.G3.G4" is the IP address of G's network interface attached physically to N, or the CIPE peer IP address (which should be the same thing). This effectively undoes the line in /etc/hosts above, but only for the 'ssh' application. I don't know why you want to keep ssh out of CIPE, though...I prefer to run my ssh connections over my CIPE tunnels wherever both are available. Why allow any extra opportunity for traffic analysis? Also, you can always get an ssh connection outside of CIPE by ssh-ing directly to the CIPE peer IP address instead of its host name, in case you need to debug the CIPE connection or something. >I tried to use policy routing to do it. I marked all SSH and CIPE >generated UDP packets with fwmark in the OUTPUT chain of the table >mangle, created routing rule that matched the mark and set gateway for >these packets to laptop's default gateway. Then I set route for network >N to 192.168.253.1. All this to get: cipcb1: looped route By the time the OUTPUT chain sees these packets, the routing decision is already made, and it's too late to change it. You need to use iptable and find an earlier step in the routing process to mark the packets, then use multiple routing tables. AFAIK this requires the very newest kernel 2.4.x IP routing tools; I once had to do a similar thing with kernel 2.2.x and found that it was impossible without kernel patches. I've never done this myself (Linux 2.4.x is about 10 revisions too early to be usable for me) so I can't provide details, but I do recall reading that 2.4.x has several new ip routing table controls above and beyond the INPUT, OUTPUT, and FORWARD chains. >Is there any way to get this to work ? Yeah, stop trying to do it at the IP routing level and do it at the application level instead. ;-) DNS hacking (i.e. using an /etc/hosts with a "private" view of the IP namespace) works very well for me. I actually extend this to use subdomains, where a mobile machine searches "machine-name.example.com" prior to "example.com" in the DNS, to get the tunneled IP addresses instead of the untunneled ones when using short machine names.
Description: "PGP signature"