The Linux Cipe+Masquerading mini-HOWTO
Anthony Ciaravalo, acj@home.com
v0.4, 28 October 1998
1. ²¤¶
³o¥÷¬OLinux Cipe+Masquerading mini-HOWTO. ¥»¤å¸ÑÄÀ¦p¦ó¨Ï¥Îcipe¸g¥Ñ
linux masquerading firewall¥D¾÷¡A¨Ó«Ø¥ß¤@Ó¤¶©ó±zªº°Ï°ìºô¸ô(LAN)»P¨ä¥L
°Ï°ìºô¸ô¤§¶¡ªºµêÀÀ¨p¦³ºô¸ô(Virtual Private Network)¡C
1.1. ª©ÅvÁn©ú
(C)opyright 1998 Anthony Ciaravalo, acj@home.com
°£«D¯S§OÁn©ú¡A§_«hLinux HOWTO¤å¥óªºª©Åv¬OÂkì§@ªÌ©Ò¦³¡C¥un«OÃÒª©Åv¨ü¨ì
«OÅ@¡ALinux HOWTO¤å¥ó¯à°÷¥H¥ô¦ó¹q¤l©Î¹êÅé´C¤¶¨Ó¶i¦æ§¹¾ã©Î³¡¤Àªº½Æ»s¡B´²
¥¬¡C°Ó·~¤Æªº«»s¬O³Q¤¹³\ªº¡A¬Æ¦Ü¥[¥H¹ªÀy¡F¦ý«e´£¬O¥²¶·ª¾·|ì§@ªÌ¡C
©Ò¦³·½¦Û©óLinux HOWTOªº¤å¥ó¡]¥]¬A½Ķ¡B§ï½s¡B·J¾ãµ¥µ¥¡^³£¥²¶·¥]§t³o¥÷ª©
ÅvÁn©ú¡C¤]´N¬O»¡¡A¥ô¦ó¤H¬Ò¤£¯à¦b¤å¥óªº´²¥¬¤W¥[½Ñ¨ä¥L¨î¡C°£«D¦b¬Y¨Ç¯S
©w±¡ªp¤U¡A¤~±o¥H¥Î¯S¨Ò¤¹³\¡F¸Ô±¡½Ð»PLinux HOWTO coordinator¬¢¸ß¡AÁpµ¸¤è
¦¡¨£«áz¡C
¦pªG±z¦³¥ô¦óºÃ°Ý¡AÅwªï¬¢¸ßLinux HOWTO coordinator Greg Hankins ¡A±z¥i¥H
¬d¸ß(finger)³oÓ±b¸¹¥H¨ú±oÁpµ¸¹q¸Ü©Î¶l¥ó¦a§}¡C
1.2 ³d¥ô©Ó¾áÁn©ú
¨Ï¥Î¦¹¥÷¤å¥óªº½d¨Ò©Î¸ê°T¡A¥²¶·¦Û¦æ©Ó¾á·ÀI¡C¦b¸g¥ÑInternet³s±µ¨ìºô¸ô¤W
®É¡A¥i¯à·|l¥Í³\¦h¦w¥þ©ÊªºÄ³ÃD¡C§Y¨Ï¬O±zªº°T®§¤w¸g¸g¹L¥[±K¡A¦ý¤£¥¿½T
ªºfirewall³]©w¤´µM·|¾ÉP¦w¥þ¤WªºµõÁ_¡CÃö©ócipe connection±z¥²¶·n¯S§O¤p
¤ßÂÔ·V¡AµM¦Ó¡A¤´µMµLªk«O»Ù100¢Hªº¦w¥þ¡C§@ªÌ¨Ã¤£«OÃÒ¦b³o¥÷¤å¥ó¤¤©Ò´£¨Ñªº
¸ê°T¦P®É¤]´£¨Ñ¤F¤@Ó¦w¥þªººô¸ôÀô¹Ò¡C
1.3. ¨Ï¥Î¦^³ø
¦pªG±z¦³¥ô¦ó°ÝÃD¡B«Øij¡B§ó¥¿¡A©Îµû½×¡AÅwªï±z¼g«H¨ì acj@home.net.
1.4. ¥»¤å¥ó¤§³Ì·sª©¥»
·sª©ªº¤å¥ó±N·|µoªí¨ì cipe mailing list ¨Ã¥Bemail µ¹ Linux HOWTO
coordinator ¨Ã¥B«ØÀɦ¨ Linux HOWTO¡C
1.5 ¨ú±oÀÉ®×
³o¥÷¤å¥ó¬O°w¹ï cipe version 1.0.0 ©Ò¼g¦¨ªº¡C±z¥i¥H±q
[1]http://sites.inka.de/~bigred/sw/cipe-1.0.0.tar.gz ¨ú±o¤å¥óÀɮסC
2. ¾÷¾¹³]©w
2.1 Firewall ³]©w
³o¥÷¤å¥ó°²³]±zªº kernel ¤w¸g³]©w¦¨¤ä´© IP masquerade ¨Ã¥B¤w¸g¥¿±`°õ¦æ
firewall ¬ÛÃö³]©w¡C¥»¤å¤¤¨Ã¤£¸ÑÄÀ¦p¦ó¥h³]©w masquerading firewall¡A¦Ó¥u
¤¶²Ð³]©w³W«hªº½d¨Ò¡A¥H»¡©ú¦b¨Ï¥Î masquerading firewall ®É¡A¦p¦óÅýcipe¯à
°÷¥¿±`¹B§@¡C±z¥i¥H¦b°Ñ¦Ò¤å¥ó¤¤§ä¨ì¦p¦ó³]©w linux IP masquerade
firewall.
2.2. The Star/Hub ³]©w
³oÓ³]©w¨Ï¥Î star/hub ¬[ºc¡A¦]¦¹¦pªG machine A °±¤î¹B§@¡A¨º»òmachine B
©M C ±NµLªk³s½u¡C±z¥i¥H¦Ò¼{¦b machine B ©M C ¤§¶¡¼W¥[¤@Ó cipe
connection ¨Ó¸Ñ¨M³oÓ°ÝÃD¡C¦Ó·í±z±N³\¦hºô¸ô³sµ²¦b¤@°_ªº®ÉÔ¡A´N·|¶}©lÅÜ
±o¦³¦M¾÷¦s¦b¡C³o¥÷¤å¥ó¥u¤¶²Ð¤F star/hub ³]©wªº½d¨Ò¡C
Machine A
eth0: 10.10.1.1
eth1: real ip 1
/ \
/ \
Machine B Machine C
eth0: 10.10.2.1 eth0:10.10.3.1
eth1: real ip 2 eth1: real ip 3
2.3. ¦Wµü°Ñ¦Ò
eth0 ¬O local network (fake address)
eth1 ¬O internet address (real address)
Port A ¬O¥ô¦ó±z¥i¥H¿ï¾Üªº¦³®Ä³q°T°ð
Port B ¬O¥ô¦ó¨ä¾l±z¥i¥H¿ï¾Üªº¦³®Ä³q°T°ð
Key A ¬O¥ô¦ó±z¥i¥H¿ï¾Üªº¦³®Ä key (¸Ô±¡½Ð¾\Ū cipe ¤å¥ó)
Key B ¬O¥ô¦ó±z¥i¥H¿ï¾Üªº¦³®Ä key
2.4. Machine A ªº³]©w
2.4a. /etc/cipe/ip-up
#a trimmed down version of the sample ip-up that comes with the
distribution
#!/bin/sh
umask 022
PATH=/sbin:/bin:/usr/sbin:/usr/bin
echo "UP $*" >> /tmp/cipe
echo $3 > /var/run/$1.pid
#µ§ªÌ¶É¦V©ó¦b³]©w routing ®É¤À¦¨¤£¦PªºÀɮרӳ]¡A¸Ôz¦p¤U¡C
2.4b. /etc/cipe/options.machineB
#³]³Æ¦WºÙ
device cip3b0
# the peers internal (fake) ip address
ptpaddr 10.10.2.1
# my cipe (fake) ip address
ipaddr 10.10.1.1
# my real ip address and cipe port
me (real ip 1):(port A)
# the peers ip address and cipe port
peer (real ip 2):(port A)
#128 ¦ì¤¸ªº¥[±K key¡AÀ³¤©¥H«O±K
key (Key A)
2.4c. /etc/cipe/options.machineC
#³]³Æ¦WºÙ
device cip3b1
# the peers internal (fake) ip address
ptpaddr 10.10.3.1
# my cipe (fake) ip address
ipaddr 10.10.1.1
# my real ip address and cipe port
me (real ip 1):(port B)
# the peers ip address and cipe port
peer (real ip 3):(port B)
#128 ¦ì¤¸ªº¥[±K key¡AÀ³¤©¥H«O±K
key (Key B)
2.4d. /etc/cipe/setroute
#!/bin/sh
#³]©w routing table ªºÀÉ®×
#³]©w Machine B ªº routing table
/sbin/route add -host 10.10.2.1 dev cip3b0
/sbin/route add -net 10.10.2.0 netmask 255.255.255.0 gw 10.10.2.1
#³]©w Machine C ªº routing table
/sbin/route add -host 10.10.3.1 dev cip3b1
/sbin/route add -net 10.10.3.0 netmask 255.255.255.0 gw 10.10.3.1
2.4e. /etc/rc.d/rc.local
echo Configuring VPN network
/usr/local/sbin/ciped -o /etc/cipe/options.machineB
/usr/local/sbin/ciped -o /etc/cipe/options.machineC
/etc/cipe/setroute
2.4f. Firewall ³W«h
#¥h°£©Ò¦³ incoming firewall ªº³W«h¡A¨Ã±N¹w³]ȳ]¬° deny
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -p deny
#¤¹³\©Ò¦³·s¶iªº«Ê¥] (packets) ¸g¥Ñ cipe links °e¦Ü±zªººô¸ô¤¤
/sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
/sbin/ipfwadm -I -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16
#±z¥i¥H¦A¼W¥[¤@¨ÇÃB¥~ªº«Ê¥]¶i¤J³W«h
#¥h°£©Ò¦³ outgoing firewall ªº³W«h¡A¨Ã±N¹w³]ȳ]¬° deny
/sbin/ipfwadm -O -f
/sbin/ipfwadm -O -p deny
#¤¹³\©Ò¦³°e¥Xªº«Ê¥] (packets) ¸g¥Ñ cipe links °e¦Ü¨ä¥Lºô¸ô
/sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
/sbin/ipfwadm -O -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16
#±z¥i¥H¦A¼W¥[¤@¨ÇÃB¥~ªº«Ê¥]°e¥X³W«h
#¥h°£©Ò¦³ forwarding firewall ªº³W«h¡A¨Ã±N¹w³]ȳ]¬° deny
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
#¤¹³\©Ò¦³Âà°eªº«Ê¥] (packets) ¸g¥Ñ cipe links °e¦Ü¨ä¥Lºô¸ô
/sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
/sbin/ipfwadm -F -a accept -W cip3b1 -S 10.10.0.0/16 -D 10.10.0.0/16
#¤¹³\±q³o»O¾÷¾¹ªº¯u¹ê ip forward ¨ì¨ä¥L¾÷¾¹ªº¯u¹ê ip
/sbin/ipfwadm -F -a accept -W eth1 -S (real ip 1) -D (real ip 2)
/sbin/ipfwadm -F -a accept -W eth1 -S (real ip 1) -D (real ip 3)
#¤¹³\¸g¥Ñ local interface (fake ip address) Âà°e¨ì¨ä¥Lºô¸ô¤W
/sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16
#±z¥i¥H¦A¼W¥[¤@¨ÇÃB¥~ªº«Ê¥]Âà°e³W«h
2.4g. ³q°T¹h (Gateway)
©Ò¦³¦b 10.10.1.0 ºô¸ô¤Wªº¾÷¾¹¥²¶·¥H 10.10.1.1 ¨Ó·í§@³q°T¹h¡A¦pªG±z¤£¬O
¦p¦¹³]©w¡A¨º»ò±NµLªk¥¿±`¹B§@¡C
2.5. Machine B ªº³]©w
2.5a. /etc/cipe/ip-up
#a trimmed down version of the sample ip-up that comes with the
distribution
#!/bin/sh
umask 022
PATH=/sbin:/bin:/usr/sbin:/usr/bin
echo "UP $*" >> /tmp/cipe
echo $3 > /var/run/$1.pid
#µ§ªÌ¶É¦V©ó¦b³]©w routing ®É¤À¦¨¤£¦PªºÀɮרӳ]¡A¸Ôz¦p¤U¡C
2.5b. /etc/cipe/options.machineA
#³]³Æ¦WºÙ
device cip3b0
# the peers internal (fake) ip address
ptpaddr 10.10.1.1
# my cipe (fake) ip address
ipaddr 10.10.2.1
# my real ip address and cipe port
me (real ip 1):(port A)
# the peers ip address and cipe port
peer (real ip 2):(port A)
#128 ¦ì¤¸ªº¥[±K key¡AÀ³¤©¥H«O±K
key (Key A)
2.5c. /etc/cipe/setroute
#!/bin/sh
#³]©w routing table ªºÀÉ®×
#³]©w Machine A ªº routing table
/sbin/route add -host 10.10.1.1 dev cip3b0
/sbin/route add -net 10.10.1.0 netmask 255.255.255.0 gw 10.10.1.1
2.5d. /etc/rc.d/rc.local
echo Configuring VPN network
/usr/local/sbin/ciped -o /etc/cipe/options.machineA
/etc/cipe/setroute
2.5e. Firewall ³W«h
(¥H¤U½Ð°Ñ·Ó 2.4f ªºµù¸Ñ»¡©ú)
#flush all incoming firewall rules and set default policy to deny
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -p deny
#allow incoming packets to your network via the cipe link
/sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your incoming rules here
#flush all outgoing firewall rules and set default policy to deny
/sbin/ipfwadm -O -f
/sbin/ipfwadm -O -p deny
#allow outgoing packets to your network via the cipe link
/sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your outgoing rules here
#flush all forwarding firewall rules and set default policy to deny
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
#allow packets to be forwarded to the other networks via the cipe
links
/sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
#allow forwarding from real ip of this machine to the real ip address
of the other machines
/sbin/ipfwadm -F -a accept -W eth1 -S (real ip 2) -D (real ip 1)
#allow packets to be forwarded to the other networks via the local
interface (fake ip address)
/sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your forwarding rules here
2.5f. ³q°T¹h
©Ò¦³¦b 10.10.2.0 ºô¸ô¤Wªº¾÷¾¹¥²¶·¥H 10.10.2.1 ¨Ó·í§@³q°T¹h¡A¦pªG±z¤£¬O
¦p¦¹³]©w¡A¨º»ò±NµLªk¥¿±`¹B§@¡C
2.6. Machine C ªº³]©w
2.6a. /etc/cipe/ip-up
#a trimmed down version of the sample ip-up that comes with the
distribution
#!/bin/sh
umask 022
PATH=/sbin:/bin:/usr/sbin:/usr/bin
echo "UP $*" >> /tmp/cipe
echo $3 > /var/run/$1.pid
#µ§ªÌ¶É¦V©ó¦b³]©w routing ®É¤À¦¨¤£¦PªºÀɮרӳ]¡A¸Ôz¦p¤U¡C
2.6b. /etc/cipe/options.machineA
#³]³Æ¦WºÙ
device cip3b0
# the peers internal (fake) ip address
ptpaddr 10.10.1.1
# my cipe (fake) ip address
ipaddr 10.10.3.1
# my real ip address and cipe port
me (real ip 3):(port B)
# the peers ip address and cipe port
peer (real ip 1):(port B)
#128 ¦ì¤¸ªº¥[±K key¡AÀ³¤©¥H«O±K
key (Key B)
2.6c. /etc/cipe/setroute
#!/bin/sh
#³]©w routing table ªºÀÉ®×
#³]©w Machine A ªº routing table
/sbin/route add -host 10.10.1.1 dev cip3b0
/sbin/route add -net 10.10.1.0 netmask 255.255.255.0 gw 10.10.1.1
2.6d. /etc/rc.d/rc.local
echo Configuring VPN network
/usr/local/sbin/ciped -o /etc/cipe/options.machineA
/etc/cipe/setroute
2.6e. Firewall Rules
(¥H¤U½Ð°Ñ·Ó 2.4f ªºµù¸Ñ»¡©ú)
#flush all incoming firewall rules and set default policy to deny
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -p deny
#allow incoming packets to your network via the cipe link
/sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your incoming rules here
#flush all outgoing firewall rules and set default policy to deny
/sbin/ipfwadm -O -f
/sbin/ipfwadm -O -p deny
#allow outgoing packets to your network via the cipe link
/sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your outgoing rules here
#flush all forwarding firewall rules and set default policy to deny
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
#allow packets to be forwarded to the other networks via the cipe
links
#this machine to the real ip address of the other machines
/sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
#allow forwarding from real ip of this machine to the real ip address
of the other machine
/sbin/ipfwadm -F -a accept -W eth1 -S (real ip 3) -D (real ip 1)
#allow packets to be forwarded to the other networks via the local
interface (fake ip address)
/sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16
#add rest of your forwarding rules here
2.6f. ³q°T¹h
©Ò¦³¦b 10.10.3.0 ºô¸ô¤Wªº¾÷¾¹¥²¶·¥H 10.10.3.1 ¨Ó·í§@³q°T¹h¡A¦pªG±z¤£¬O
¦p¦¹³]©w¡A¨º»ò±NµLªk¥¿±`¹B§@¡C
3. ±Ò°Ê
¦b¨C»O¾÷¾¹¤W¤â°Ê¦a°õ¦æ³Q¼W¥[¨ì rc.local ªº«ü¥O
4. ³s±µ¨ì WAN.
³]©w¨ì¦¹¬°¤î¡A±zªº WANÀ³¸Ó¯à°÷¶¶§Q³s±µ¡C±z¥i¥H¸ÕµÛ¥h ping¨ä¥Lºô¸ô¤Wªº¾÷
¾¹¡C¦Ó¤U¤@Ó¨BÆJ¡A§Y¬OÅý±zªººô¸ô¯à°÷¥H SAMBA ¨Ó©¼¦¹¤¬¬Û¦s¨ú¡C¦³¤@¨Ç¤p´£
¥Ü¡G lmhosts ©Î wins server¬O¥²¶·ªº¡A¯S§O¬O¦b NT ©³¤U¡Cµ§ªÌ¤w¸g¹ê¦a³]©w
¦¨¥\¹L¡A¦ý¤£¥´ºâ¦b¥»½g¤å³¹¤¤¤¶²Ð³oÓ³¡¤À¡C
5. °Ñ¦Ò¤å¥ó¡G
5.1. Web ºô§}
Cipe HomePage [2]http://sites.inka.de/~bigred/devel/cipe.html
Masq Home Page [3]http://ipmasq.home.ml.org
Samba Home Page [4]http://samba.anu.edu.au
Linux HQ [5]http://www.linuxhq.com --- ¤@ÓÃö©óLinux¸ê°Tªº¤£¿ùºô¯¸
5.2. ¤å¥ó
cipe.info: ¥]§t¦³Ãöcipe³nÅé®M¥ó¸ê°TªºÀÉ®× Firewall HOWTO,¥ÑMark
Grennan ©ÒµÛ IP Masquerade mini-HOWTO, ¥ÑAmbrose Au ©ÒµÛ
°Ñ¦Ò¡G
1. http://sites.inka.de/~bigred/sw/cipe-1.0.0.tar.gz
2. http://sites.inka.de/~bigred/devel/cipe.html
3. http://ipmasq.home.ml.org/
4. http://samba.anu.edu.au/
5. http://www.linuxhq.com/
References
1. http://sites.inka.de/~bigred/sw/cipe-1.0.0.tar.gz
2. http://sites.inka.de/~bigred/devel/cipe.html
3. http://ipmasq.home.ml.org/
4. http://samba.anu.edu.au/
5. http://www.linuxhq.com/
