<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Cipe and advanced routing
From: errzyy3i,AT,umail,DOT,furryterror,DOT,org (Zygo Blaxell)
Date: Mon, 19 Feb 2001 01:58:36 +0100
In-reply-to: <qww3ddfllln.fsf@decibel.fi.muni.cz>

In article <qww3ddfllln.fsf,AT,decibel,DOT,fi,DOT,muni,DOT,cz>,
Petr Konecny  <pekon,AT,informatics,DOT,muni,DOT,cz> wrote:
>I have a laptop that has a permanent address A in network N. There is no
>firewall between N and the Internet.
>
>I would like most traffic between the laptop and network A to go through
>CIPE tunnel. I have access to a computer G on network N, that can be
>used as a proxy/gateway/router.

OK, so the laptop has an address A on N, but is not physically connected
directly to N?  This is important.  ;-)

>So far I have done this:
>
>there is a cipe tunnel between laptop and G, local address (ipaddr) of
>the tunnel on laptop is its address A in network N, remote (ptpaddr) is
>192.168.253.1.
>
>G works as an ARP proxy for address A on interface connected to N, it
>does IP forwarding.
>
>Laptop uses 192.168.253.1 as a gateway for network N, except for
>computer G, which uses laptop's default gateway. Both computers use
>Linux 2.4.1-ac14 and cipe 1.4.5 with blowfish.

Good so far...

>This works fine, but of course there are some glitches:
>1. the traffic that goes directly to G is not sent through the tunnel

Put this line in /etc/hosts on the laptop:

        192.168.253.1  G

This means that your laptop will use CIPE when you try to 'telnet G' or
'ping G' or 'w3m http://G/...'.

Also make sure your /etc/nsswitch.conf lists "files" before "dns" for
"hosts."  You probably want to remove any nisplus or compat entries too,
but that is not required.

>2. it encrypts everything

>I do not want ssh connections to use CIPE and to encrypt the
>communication to G, i.e. the only packets going to G over the Internet
>should be UDP packets of CIPE and SSH connections.

Put these lines in /etc/ssh/ssh_config on the laptop:

        Host G
                HostName G1.G2.G3.G4

where "G1.G2.G3.G4" is the IP address of G's network interface attached
physically to N, or the CIPE peer IP address (which should be the same
thing).  This effectively undoes the line in /etc/hosts above, but only
for the 'ssh' application.

I don't know why you want to keep ssh out of CIPE, though...I prefer to
run my ssh connections over my CIPE tunnels wherever both are available.
Why allow any extra opportunity for traffic analysis?  Also, you can
always get an ssh connection outside of CIPE by ssh-ing directly to the
CIPE peer IP address instead of its host name, in case you need to debug
the CIPE connection or something.

>I tried to use policy routing to do it. I marked all SSH and CIPE
>generated UDP packets with fwmark in the OUTPUT chain of the table
>mangle, created routing rule that matched the mark and set gateway for
>these packets to laptop's default gateway.  Then I set route for network
>N to 192.168.253.1. All this to get: cipcb1: looped route

By the time the OUTPUT chain sees these packets, the routing decision is
already made, and it's too late to change it.  You need to use iptable
and find an earlier step in the routing process to mark the packets,
then use multiple routing tables.  AFAIK this requires the very newest
kernel 2.4.x IP routing tools; I once had to do a similar thing with
kernel 2.2.x and found that it was impossible without kernel patches.

I've never done this myself (Linux 2.4.x is about 10 revisions too
early to be usable for me) so I can't provide details, but I do recall
reading that 2.4.x has several new ip routing table controls above and
beyond the INPUT, OUTPUT, and FORWARD chains.

>Is there any way to get this to work ? 

Yeah, stop trying to do it at the IP routing level and do it at the
application level instead.  ;-)

DNS hacking (i.e. using an /etc/hosts with a "private" view of the IP
namespace) works very well for me.  I actually extend this to use
subdomains, where a mobile machine searches "machine-name.example.com"
prior to "example.com" in the DNS, to get the tunneled IP addresses
instead of the untunneled ones when using short machine names.

Attachment: pgp00001.pgp
Description: "PGP signature"


<< | Thread Index | >> ]    [ << | Date Index | >> ]