<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Masquerading Cipe and Internet Access between 2 systems
From: Bruce Sackett <bruce,AT,oec-sys,DOT,com>
Date: Thu, 22 Mar 2001 19:08:55 +0100

I have set up Cipe using the Redhat 7.0 rpm on 2 linux machines.  My
goal is to have both these machines able to run the cipe connection
between them, as well as masquerading internet access for their
respective offices.  I have tried using the HOWTO scripts, and have
tried the extremely basic ipchains setup shown below.  I am really
confused.  The package is obviously working great, but I am not
understanding the routing and masquerading required to make it do what
I am wanting it to do.

Any advice would be greatly appreciated.  Thank you in advance.

Bruce
bruce,AT,oec-sys,DOT,com

****************************  COMMON FILES 
*************************************

****************************  IP-UP SCRIPT 
*************************************

#!/bin/sh
# ip-up <interface> <myaddr> <daemon-pid> <local> <remote> <arg>

# Sample of the ip-up script.
# This is called when the CIPE interface is opened.
# Arguments:
#  $1 interface     the CIPE interface
#  $2 myaddr        our UDP address
#  $3 daemon-pid    the daemon's process ID
#  $4 local         IP address of our CIPE device
#  $5 remote        IP address of the remote CIPE device
#  $6 arg           argument supplied via options

# Purposes for this script: set up routes, set up proxy-arps, etc.
# start daemons, logging...

umask 022
PATH=/sbin:/bin:/usr/sbin:/usr/bin

# If this becomes our default route...
#route add default gw $5

# just a logging example
now=`date "+%b %d %T"`
echo "$now UP   $*" >> /var/log/cipe.log

# many systems like these pid files
echo $3 > /var/run/$1.pid

# Trigger the key exchange procedure, useful when we're using SOCKS
# This _must_ run delayed and in the background
#(sleep 10; ping -c5 $5) &

# If the system runs gated, tell it what has happened
#gdc interface

# The following are just ideas for further consideration

# Interconnect two 10. subnets through the Internet!
# Assuming $4 is in 10.1 and $5 in 10.2
#route add -net 10.2.0.0 netmask 255.255.0.0 gw $5

# Proxy-ARP the peer's address on eth0
#arp -i eth0 -Ds $5 eth0 pub

# Evil tricks department: masquerade the CIPE peer's /24 network to our IP
#NA=`expr $5 : '\([0-9]*\.[0-9]*\.[0-9]*\.\)'`
#ipfwadm -F -a accept -m -b -S $NA.0/24 -D 0.0.0.0/0
# the usual way for this would be a case selection on $5 or $6, however

# execute anything local
[ -x /etc/cipe/ip-up.local ] && /etc/cipe/ip-up.local $*

exit 0

*****************************  MACHINE "A"  
*************************************

Adding route like:

route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.253

My CURRENT ipchains -L

Chain input (policy ACCEPT):
Chain forward (policy DENY):
target     prot opt     source                destination           ports
ACCEPT     all  ------  192.168.1.0/24       192.168.2.0/24        n/a
umasq      all  ------  192.168.1.0/24       anywhere              n/a
Chain output (policy ACCEPT):
Chain umasq (1 references):
target     prot opt     source                destination           ports
MASQ       all  ------  192.168.1.0/24       anywhere              n/a

****************************   /ETC/SYSCONFIG/CIPE  
*****************************

# DEVICE specifies the _real_ network interface used for
# encrypted transmissions.  Usually this is something like
# 'eth0', 'ppp0' or 'ippp0'.
DEVICE=eth0

# PORT specifies which UDP port is used by CIPE process
# in both endpoints.  Make sure this passes through possible
# firewalls.
PORT=2001

# PEER specifies the _real_ address of the remote CIPE endpoint.
# 0.0.0.0 means it's allocated dynamically (only one end can set it this,
# though).
PEER=AAA.BBB.CCC.DDD

# IPADDR specifies the _virtual_ address for the local end of the
# CIPE tunnel.  Usually it should be an address reserved for local
# networks so that it won't mess up routing to "real" addresses.
IPADDR=192.168.1.253

# PTPADDR specifies the _virtual_ address for the remote end of the
# CIPE tunnel.  Usually it should be an address reserved for local
# networks so that it won't mess up routing to "real" addresses.
PTPADDR=192.168.2.253

#
# CIPE device names (cipcb0) and encryption keys are set in /etc/cipe/options.
#

****************************  MACHINE "B"  
*************************************

Adding route like:

route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.253

****************************   /ETC/SYSCONFIG/CIPE  
*****************************

# DEVICE specifies the _real_ network interface used for
# encrypted transmissions.  Usually this is something like
# 'eth0', 'ppp0' or 'ippp0'.
DEVICE=eth0

# PORT specifies which UDP port is used by CIPE process
# in both endpoints.  Make sure this passes through possible
# firewalls.
PORT=2001

# PEER specifies the _real_ address of the remote CIPE endpoint.
# 0.0.0.0 means it's allocated dynamically (only one end can set it this,
# though).
PEER=EEE.FFF.GGG.HHH

# IPADDR specifies the _virtual_ address for the local end of the
# CIPE tunnel.  Usually it should be an address reserved for local
# networks so that it won't mess up routing to "real" addresses.
IPADDR=192.168.2.253

# PTPADDR specifies the _virtual_ address for the remote end of the
# CIPE tunnel.  Usually it should be an address reserved for local
# networks so that it won't mess up routing to "real" addresses.
PTPADDR=192.168.1.253

#
# CIPE device names (cipcb0) and encryption keys are set in /etc/cipe/options.
#
  

Thank you,
 Bruce     
 mailto:bruce,AT,oec-sys,DOT,com
 Office Equipment Company
 http://www.oec-sys.com

Attachments:
<none>





<< | Thread Index | >> ]    [ << | Date Index | >> ]