The Linux Cipe+Masquerading mini-HOWTO Anthony Ciaravalo, acj@home.com v0.4, 28 October 1998 1. ²¤¶ ³o¥÷¬OLinux Cipe+Masquerading mini-HOWTO. ¥»¤å¸ÑÄÀ¦p¦ó¨Ï¥Îcipe¸g¥Ñ linux masquerading firewall¥D¾÷¡A¨Ó«Ø¥ß¤@Ó¤¶©ó±zªº°Ï°ìºô¸ô(LAN)»P¨ä¥L °Ï°ìºô¸ô¤§¶¡ªºµêÀÀ¨p¦³ºô¸ô(Virtual Private Network)¡C 1.1. ª©ÅvÁn©ú (C)opyright 1998 Anthony Ciaravalo, acj@home.com °£«D¯S§OÁn©ú¡A§_«hLinux HOWTO¤å¥óªºª©Åv¬OÂkì§@ªÌ©Ò¦³¡C¥un«OÃÒª©Åv¨ü¨ì «OÅ@¡ALinux HOWTO¤å¥ó¯à°÷¥H¥ô¦ó¹q¤l©Î¹êÅé´C¤¶¨Ó¶i¦æ§¹¾ã©Î³¡¤Àªº½Æ»s¡B´² ¥¬¡C°Ó·~¤Æªº«»s¬O³Q¤¹³\ªº¡A¬Æ¦Ü¥[¥H¹ªÀy¡F¦ý«e´£¬O¥²¶·ª¾·|ì§@ªÌ¡C ©Ò¦³·½¦Û©óLinux HOWTOªº¤å¥ó¡]¥]¬A½Ķ¡B§ï½s¡B·J¾ãµ¥µ¥¡^³£¥²¶·¥]§t³o¥÷ª© ÅvÁn©ú¡C¤]´N¬O»¡¡A¥ô¦ó¤H¬Ò¤£¯à¦b¤å¥óªº´²¥¬¤W¥[½Ñ¨ä¥L¨î¡C°£«D¦b¬Y¨Ç¯S ©w±¡ªp¤U¡A¤~±o¥H¥Î¯S¨Ò¤¹³\¡F¸Ô±¡½Ð»PLinux HOWTO coordinator¬¢¸ß¡AÁpµ¸¤è ¦¡¨£«áz¡C ¦pªG±z¦³¥ô¦óºÃ°Ý¡AÅwªï¬¢¸ßLinux HOWTO coordinator Greg Hankins ¡A±z¥i¥H ¬d¸ß(finger)³oÓ±b¸¹¥H¨ú±oÁpµ¸¹q¸Ü©Î¶l¥ó¦a§}¡C 1.2 ³d¥ô©Ó¾áÁn©ú ¨Ï¥Î¦¹¥÷¤å¥óªº½d¨Ò©Î¸ê°T¡A¥²¶·¦Û¦æ©Ó¾á·ÀI¡C¦b¸g¥ÑInternet³s±µ¨ìºô¸ô¤W ®É¡A¥i¯à·|l¥Í³\¦h¦w¥þ©ÊªºÄ³ÃD¡C§Y¨Ï¬O±zªº°T®§¤w¸g¸g¹L¥[±K¡A¦ý¤£¥¿½T ªºfirewall³]©w¤´µM·|¾ÉP¦w¥þ¤WªºµõÁ_¡CÃö©ócipe connection±z¥²¶·n¯S§O¤p ¤ßÂÔ·V¡AµM¦Ó¡A¤´µMµLªk«O»Ù100¢Hªº¦w¥þ¡C§@ªÌ¨Ã¤£«OÃÒ¦b³o¥÷¤å¥ó¤¤©Ò´£¨Ñªº ¸ê°T¦P®É¤]´£¨Ñ¤F¤@Ó¦w¥þªººô¸ôÀô¹Ò¡C 1.3. ¨Ï¥Î¦^³ø ¦pªG±z¦³¥ô¦ó°ÝÃD¡B«Øij¡B§ó¥¿¡A©Îµû½×¡AÅwªï±z¼g«H¨ì acj@home.net. 1.4. ¥»¤å¥ó¤§³Ì·sª©¥» ·sª©ªº¤å¥ó±N·|µoªí¨ì cipe mailing list ¨Ã¥Bemail µ¹ Linux HOWTO coordinator ¨Ã¥B«ØÀɦ¨ Linux HOWTO¡C 1.5 ¨ú±oÀÉ®× ³o¥÷¤å¥ó¬O°w¹ï cipe version 1.0.0 ©Ò¼g¦¨ªº¡C±z¥i¥H±q [1]http://sites.inka.de/~bigred/sw/cipe-1.0.0.tar.gz ¨ú±o¤å¥óÀɮסC 2. ¾÷¾¹³]©w 2.1 Firewall ³]©w ³o¥÷¤å¥ó°²³]±zªº kernel ¤w¸g³]©w¦¨¤ä´© IP masquerade ¨Ã¥B¤w¸g¥¿±`°õ¦æ firewall ¬ÛÃö³]©w¡C¥»¤å¤¤¨Ã¤£¸ÑÄÀ¦p¦ó¥h³]©w masquerading firewall¡A¦Ó¥u ¤¶²Ð³]©w³W«hªº½d¨Ò¡A¥H»¡©ú¦b¨Ï¥Î masquerading firewall ®É¡A¦p¦óÅýcipe¯à °÷¥¿±`¹B§@¡C±z¥i¥H¦b°Ñ¦Ò¤å¥ó¤¤§ä¨ì¦p¦ó³]©w linux IP masquerade firewall. 2.2. The Star/Hub ³]©w ³oÓ³]©w¨Ï¥Î star/hub ¬[ºc¡A¦]¦¹¦pªG machine A °±¤î¹B§@¡A¨º»òmachine B ©M C ±NµLªk³s½u¡C±z¥i¥H¦Ò¼{¦b machine B ©M C ¤§¶¡¼W¥[¤@Ó cipe connection ¨Ó¸Ñ¨M³oÓ°ÝÃD¡C¦Ó·í±z±N³\¦hºô¸ô³sµ²¦b¤@°_ªº®ÉÔ¡A´N·|¶}©lÅÜ ±o¦³¦M¾÷¦s¦b¡C³o¥÷¤å¥ó¥u¤¶²Ð¤F star/hub ³]©wªº½d¨Ò¡C Machine A eth0: 10.10.1.1 eth1: real ip 1 / \ / \ Machine B Machine C eth0: 10.10.2.1 eth0:10.10.3.1 eth1: real ip 2 eth1: real ip 3 2.3. ¦Wµü°Ñ¦Ò eth0 ¬O local network (fake address) eth1 ¬O internet address (real address) Port A ¬O¥ô¦ó±z¥i¥H¿ï¾Üªº¦³®Ä³q°T°ð Port B ¬O¥ô¦ó¨ä¾l±z¥i¥H¿ï¾Üªº¦³®Ä³q°T°ð Key A ¬O¥ô¦ó±z¥i¥H¿ï¾Üªº¦³®Ä key (¸Ô±¡½Ð¾\Ū cipe ¤å¥ó) Key B ¬O¥ô¦ó±z¥i¥H¿ï¾Üªº¦³®Ä key 2.4. Machine A ªº³]©w 2.4a. /etc/cipe/ip-up #a trimmed down version of the sample ip-up that comes with the distribution #!/bin/sh umask 022 PATH=/sbin:/bin:/usr/sbin:/usr/bin echo "UP $*" >> /tmp/cipe echo $3 > /var/run/$1.pid #µ§ªÌ¶É¦V©ó¦b³]©w routing ®É¤À¦¨¤£¦PªºÀɮרӳ]¡A¸Ôz¦p¤U¡C 2.4b. /etc/cipe/options.machineB #³]³Æ¦WºÙ device cip3b0 # the peers internal (fake) ip address ptpaddr 10.10.2.1 # my cipe (fake) ip address ipaddr 10.10.1.1 # my real ip address and cipe port me (real ip 1):(port A) # the peers ip address and cipe port peer (real ip 2):(port A) #128 ¦ì¤¸ªº¥[±K key¡AÀ³¤©¥H«O±K key (Key A) 2.4c. /etc/cipe/options.machineC #³]³Æ¦WºÙ device cip3b1 # the peers internal (fake) ip address ptpaddr 10.10.3.1 # my cipe (fake) ip address ipaddr 10.10.1.1 # my real ip address and cipe port me (real ip 1):(port B) # the peers ip address and cipe port peer (real ip 3):(port B) #128 ¦ì¤¸ªº¥[±K key¡AÀ³¤©¥H«O±K key (Key B) 2.4d. /etc/cipe/setroute #!/bin/sh #³]©w routing table ªºÀÉ®× #³]©w Machine B ªº routing table /sbin/route add -host 10.10.2.1 dev cip3b0 /sbin/route add -net 10.10.2.0 netmask 255.255.255.0 gw 10.10.2.1 #³]©w Machine C ªº routing table /sbin/route add -host 10.10.3.1 dev cip3b1 /sbin/route add -net 10.10.3.0 netmask 255.255.255.0 gw 10.10.3.1 2.4e. /etc/rc.d/rc.local echo Configuring VPN network /usr/local/sbin/ciped -o /etc/cipe/options.machineB /usr/local/sbin/ciped -o /etc/cipe/options.machineC /etc/cipe/setroute 2.4f. Firewall ³W«h #¥h°£©Ò¦³ incoming firewall ªº³W«h¡A¨Ã±N¹w³]ȳ]¬° deny /sbin/ipfwadm -I -f /sbin/ipfwadm -I -p deny #¤¹³\©Ò¦³·s¶iªº«Ê¥] (packets) ¸g¥Ñ cipe links °e¦Ü±zªººô¸ô¤¤ /sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 /sbin/ipfwadm -I -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16 #±z¥i¥H¦A¼W¥[¤@¨ÇÃB¥~ªº«Ê¥]¶i¤J³W«h #¥h°£©Ò¦³ outgoing firewall ªº³W«h¡A¨Ã±N¹w³]ȳ]¬° deny /sbin/ipfwadm -O -f /sbin/ipfwadm -O -p deny #¤¹³\©Ò¦³°e¥Xªº«Ê¥] (packets) ¸g¥Ñ cipe links °e¦Ü¨ä¥Lºô¸ô /sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 /sbin/ipfwadm -O -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16 #±z¥i¥H¦A¼W¥[¤@¨ÇÃB¥~ªº«Ê¥]°e¥X³W«h #¥h°£©Ò¦³ forwarding firewall ªº³W«h¡A¨Ã±N¹w³]ȳ]¬° deny /sbin/ipfwadm -F -f /sbin/ipfwadm -F -p deny #¤¹³\©Ò¦³Âà°eªº«Ê¥] (packets) ¸g¥Ñ cipe links °e¦Ü¨ä¥Lºô¸ô /sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 /sbin/ipfwadm -F -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16 #¤¹³\±q³o»O¾÷¾¹ªº¯u¹ê ip forward ¨ì¨ä¥L¾÷¾¹ªº¯u¹ê ip /sbin/ipfwadm -F -a accept -W eth1 -S (real ip 1) -D (real ip 2) /sbin/ipfwadm -F -a accept -W eth1 -S (real ip 1) -D (real ip 3) #¤¹³\¸g¥Ñ local interface (fake ip address) Âà°e¨ì¨ä¥Lºô¸ô¤W /sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16 #±z¥i¥H¦A¼W¥[¤@¨ÇÃB¥~ªº«Ê¥]Âà°e³W«h 2.4g. ³q°T¹h (Gateway) ©Ò¦³¦b 10.10.1.0 ºô¸ô¤Wªº¾÷¾¹¥²¶·¥H 10.10.1.1 ¨Ó·í§@³q°T¹h¡A¦pªG±z¤£¬O ¦p¦¹³]©w¡A¨º»ò±NµLªk¥¿±`¹B§@¡C 2.5. Machine B ªº³]©w 2.5a. /etc/cipe/ip-up #a trimmed down version of the sample ip-up that comes with the distribution #!/bin/sh umask 022 PATH=/sbin:/bin:/usr/sbin:/usr/bin echo "UP $*" >> /tmp/cipe echo $3 > /var/run/$1.pid #µ§ªÌ¶É¦V©ó¦b³]©w routing ®É¤À¦¨¤£¦PªºÀɮרӳ]¡A¸Ôz¦p¤U¡C 2.5b. /etc/cipe/options.machineA #³]³Æ¦WºÙ device cip3b0 # the peers internal (fake) ip address ptpaddr 10.10.1.1 # my cipe (fake) ip address ipaddr 10.10.2.1 # my real ip address and cipe port me (real ip 1):(port A) # the peers ip address and cipe port peer (real ip 2):(port A) #128 ¦ì¤¸ªº¥[±K key¡AÀ³¤©¥H«O±K key (Key A) 2.5c. /etc/cipe/setroute #!/bin/sh #³]©w routing table ªºÀÉ®× #³]©w Machine A ªº routing table /sbin/route add -host 10.10.1.1 dev cip3b0 /sbin/route add -net 10.10.1.0 netmask 255.255.255.0 gw 10.10.1.1 2.5d. /etc/rc.d/rc.local echo Configuring VPN network /usr/local/sbin/ciped -o /etc/cipe/options.machineA /etc/cipe/setroute 2.5e. Firewall ³W«h (¥H¤U½Ð°Ñ·Ó 2.4f ªºµù¸Ñ»¡©ú) #flush all incoming firewall rules and set default policy to deny /sbin/ipfwadm -I -f /sbin/ipfwadm -I -p deny #allow incoming packets to your network via the cipe link /sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 #add rest of your incoming rules here #flush all outgoing firewall rules and set default policy to deny /sbin/ipfwadm -O -f /sbin/ipfwadm -O -p deny #allow outgoing packets to your network via the cipe link /sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 #add rest of your outgoing rules here #flush all forwarding firewall rules and set default policy to deny /sbin/ipfwadm -F -f /sbin/ipfwadm -F -p deny #allow packets to be forwarded to the other networks via the cipe links /sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 #allow forwarding from real ip of this machine to the real ip address of the other machines /sbin/ipfwadm -F -a accept -W eth1 -S (real ip 2) -D (real ip 1) #allow packets to be forwarded to the other networks via the local interface (fake ip address) /sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16 #add rest of your forwarding rules here 2.5f. ³q°T¹h ©Ò¦³¦b 10.10.2.0 ºô¸ô¤Wªº¾÷¾¹¥²¶·¥H 10.10.2.1 ¨Ó·í§@³q°T¹h¡A¦pªG±z¤£¬O ¦p¦¹³]©w¡A¨º»ò±NµLªk¥¿±`¹B§@¡C 2.6. Machine C ªº³]©w 2.6a. /etc/cipe/ip-up #a trimmed down version of the sample ip-up that comes with the distribution #!/bin/sh umask 022 PATH=/sbin:/bin:/usr/sbin:/usr/bin echo "UP $*" >> /tmp/cipe echo $3 > /var/run/$1.pid #µ§ªÌ¶É¦V©ó¦b³]©w routing ®É¤À¦¨¤£¦PªºÀɮרӳ]¡A¸Ôz¦p¤U¡C 2.6b. /etc/cipe/options.machineA #³]³Æ¦WºÙ device cip3b0 # the peers internal (fake) ip address ptpaddr 10.10.1.1 # my cipe (fake) ip address ipaddr 10.10.3.1 # my real ip address and cipe port me (real ip 3):(port B) # the peers ip address and cipe port peer (real ip 1):(port B) #128 ¦ì¤¸ªº¥[±K key¡AÀ³¤©¥H«O±K key (Key B) 2.6c. /etc/cipe/setroute #!/bin/sh #³]©w routing table ªºÀÉ®× #³]©w Machine A ªº routing table /sbin/route add -host 10.10.1.1 dev cip3b0 /sbin/route add -net 10.10.1.0 netmask 255.255.255.0 gw 10.10.1.1 2.6d. /etc/rc.d/rc.local echo Configuring VPN network /usr/local/sbin/ciped -o /etc/cipe/options.machineA /etc/cipe/setroute 2.6e. Firewall Rules (¥H¤U½Ð°Ñ·Ó 2.4f ªºµù¸Ñ»¡©ú) #flush all incoming firewall rules and set default policy to deny /sbin/ipfwadm -I -f /sbin/ipfwadm -I -p deny #allow incoming packets to your network via the cipe link /sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 #add rest of your incoming rules here #flush all outgoing firewall rules and set default policy to deny /sbin/ipfwadm -O -f /sbin/ipfwadm -O -p deny #allow outgoing packets to your network via the cipe link /sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 #add rest of your outgoing rules here #flush all forwarding firewall rules and set default policy to deny /sbin/ipfwadm -F -f /sbin/ipfwadm -F -p deny #allow packets to be forwarded to the other networks via the cipe links #this machine to the real ip address of the other machines /sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16 #allow forwarding from real ip of this machine to the real ip address of the other machine /sbin/ipfwadm -F -a accept -W eth1 -S (real ip 3) -D (real ip 1) #allow packets to be forwarded to the other networks via the local interface (fake ip address) /sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16 #add rest of your forwarding rules here 2.6f. ³q°T¹h ©Ò¦³¦b 10.10.3.0 ºô¸ô¤Wªº¾÷¾¹¥²¶·¥H 10.10.3.1 ¨Ó·í§@³q°T¹h¡A¦pªG±z¤£¬O ¦p¦¹³]©w¡A¨º»ò±NµLªk¥¿±`¹B§@¡C 3. ±Ò°Ê ¦b¨C»O¾÷¾¹¤W¤â°Ê¦a°õ¦æ³Q¼W¥[¨ì rc.local ªº«ü¥O 4. ³s±µ¨ì WAN. ³]©w¨ì¦¹¬°¤î¡A±zªº WANÀ³¸Ó¯à°÷¶¶§Q³s±µ¡C±z¥i¥H¸ÕµÛ¥h ping¨ä¥Lºô¸ô¤Wªº¾÷ ¾¹¡C¦Ó¤U¤@Ó¨BÆJ¡A§Y¬OÅý±zªººô¸ô¯à°÷¥H SAMBA ¨Ó©¼¦¹¤¬¬Û¦s¨ú¡C¦³¤@¨Ç¤p´£ ¥Ü¡G lmhosts ©Î wins server¬O¥²¶·ªº¡A¯S§O¬O¦b NT ©³¤U¡Cµ§ªÌ¤w¸g¹ê¦a³]©w ¦¨¥\¹L¡A¦ý¤£¥´ºâ¦b¥»½g¤å³¹¤¤¤¶²Ð³oÓ³¡¤À¡C 5. °Ñ¦Ò¤å¥ó¡G 5.1. Web ºô§} Cipe HomePage [2]http://sites.inka.de/~bigred/devel/cipe.html Masq Home Page [3]http://ipmasq.home.ml.org Samba Home Page [4]http://samba.anu.edu.au Linux HQ [5]http://www.linuxhq.com --- ¤@ÓÃö©óLinux¸ê°Tªº¤£¿ùºô¯¸ 5.2. ¤å¥ó cipe.info: ¥]§t¦³Ãöcipe³nÅé®M¥ó¸ê°TªºÀÉ®× Firewall HOWTO,¥ÑMark Grennan ©ÒµÛ IP Masquerade mini-HOWTO, ¥ÑAmbrose Au ©ÒµÛ °Ñ¦Ò¡G 1. http://sites.inka.de/~bigred/sw/cipe-1.0.0.tar.gz 2. http://sites.inka.de/~bigred/devel/cipe.html 3. http://ipmasq.home.ml.org/ 4. http://samba.anu.edu.au/ 5. http://www.linuxhq.com/ References 1. http://sites.inka.de/~bigred/sw/cipe-1.0.0.tar.gz 2. http://sites.inka.de/~bigred/devel/cipe.html 3. http://ipmasq.home.ml.org/ 4. http://samba.anu.edu.au/ 5. http://www.linuxhq.com/