RE: A few questions|
Fri, 28 Dec 2001 17:23:18 +0100|
> > > 2. Can CIPE be bound to 1 and only 1 device?
> > I don't know for sure but I don't think so. Since CIPE's transports
> > its data using UDP, it simply uses the OS's routing features to route
> > packets. So, if you want that to happen, you will have to do that
> > of CIPE (using iproute2 software and/or ipchains/iptables??)
> Scott, do you have example iptable commands that do this? I'm still
> learning firewall chains and I can't seem to get packets to pass through
> the cipe interface. Everything is up and running.
Remember that CIPE data passes through your firewall rules twice: first the
encrypted UDP transport packet arrives through your connection to the
internet, and second, the unencrypted data appears at the cipcb0 interface.
So, you need rules to allow the UDP packets to come from the internet and
you need to allow as much as you want via the CIPE interface.
Here are some isolated examples that might help. It assumes eth0 is your
internet connection, eth1 is the LAN, this machine is host1.example.com, the
other side is host2.example.com, and we are using port 7777 to transport the
CIPE data. You will need a lot more rules than this to make a firewall.
iptables -A INPUT -i eth0 -p udp -d host1.example.com 7777 -s
host2.example.com 7777 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d host1.example.com 7777 -j DROP
iptables -A INPUT -i cipcb0 -j ACCEPT
iptables -A FORWARD -i cipcb0 -o eth1 -j ACCEPT