From ffded6482b102d01d83bf0ba96930b725c277349 Mon Sep 17 00:00:00 2001 From: mhnoyes Date: Tue, 16 Dec 2003 18:21:47 +0000 Subject: [PATCH] DocBook XML conversion git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@864 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/IPIP.xml | 313 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 313 insertions(+) create mode 100644 Shorewall-docs/IPIP.xml diff --git a/Shorewall-docs/IPIP.xml b/Shorewall-docs/IPIP.xml new file mode 100644 index 000000000..43213771b --- /dev/null +++ b/Shorewall-docs/IPIP.xml @@ -0,0 +1,313 @@ + + +
+ + GRE and IPIP Tunnels + + + + Tom + + Eastep + + + + + 2001 + + 2002 + + 2003 + + Thomas M. Eastep + + + 2003-02-22 + + + + GRE and IPIP Tunnels are insecure when used over the internet; use + them at your own risk + + + GRE and IPIP tunneling with Shorewall can be used to bridge two + masqueraded networks. + + The simple scripts described in the Linux + Advanced Routing and Shaping HOWTO work fine with Shorewall. + Shorewall also includes a tunnel script for automating tunnel configuration. + If you have installed the RPM, the tunnel script may be found in the + Shorewall documentation directory (usually + /usr/share/doc/shorewall-<version>/). + +
+ Bridging two Masqueraded Networks + + Suppose that we have the following situation: + + + + We want systems in the 192.168.1.0/24 subnetwork to be able to + communicate with the systems in the 10.0.0.0/8 network. This is + accomplished through use of the /etc/shorewall/tunnels file, the + /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is + included with Shorewall. + + The 'tunnel' script is not installed in /etc/shorewall by + default -- If you install using the tarball, the script is included in the + tarball; if you install using the RPM, the file is in your Shorewall + documentation directory (normally + /usr/share/doc/shorewall-<version>). + + In the /etc/shorewall/tunnel script, set the 'tunnel_type' + parameter to the type of tunnel that you want to create. + + + /etc/shorewall/tunnel + + tunnel_type=gre + + + On each firewall, you will need to declare a zone to represent the + remote subnet. We'll assume that this zone is called 'vpn' and + declare it in /etc/shorewall/zones on both systems as follows. + + + /etc/shorewall/zones system A & B + + + + + ZONE + + DISPLAY + + COMMENTS + + + + + + vpn + + VPN + + Remote Subnet + + + +
+ + On system A, the 10.0.0.0/8 will comprise the vpn + zone. In /etc/shorewall/interfaces: + + + /etc/shorewall/interfaces system A + + + + + ZONE + + INTERFACE + + BROADCAST + + OPTIONS + + + + + + vpn + + tosysb + + 10.255.255.255 + + + + + +
+ + In /etc/shorewall/tunnels on system A, we need the following: + + + /etc/shorewall/tunnels system A + + + + + TYPE + + ZONE + + GATEWAY + + GATEWAY ZONE + + + + + + ipip + + net + + 134.28.54.2 + + + + + +
+ + This entry in /etc/shorewall/tunnels, opens the firewall so that the + IP encapsulation protocol (4) will be accepted to/from the remote gateway. + + In the tunnel script on system A: + + + tunnel script on system A + + tunnel=tosysb +myrealip=206.161.148.9 (for GRE tunnel only) +myip=192.168.1.1 +hisip=10.0.0.1 +gateway=134.28.54.2 +subnet=10.0.0.0/8 + + + + Similarly, On system B the 192.168.1.0/24 subnet will comprise the + vpn zone. In /etc/shorewall/interfaces: + + + /etc/shorewall/interfaces system B + + + + + ZONE + + INTERFACE + + BROADCAST + + OPTIONS + + + + + + vpn + + tosysa + + 192.168.1.255 + + + + + +
+ + In /etc/shorewall/tunnels on system B, we have: + + + /etc/shorewall/tunnels system B + + + + + TYPE + + ZONE + + GATEWAY + + GATEWAY ZONE + + + + + + ipip + + net + + 206.191.148.9 + + + + + +
+ + And in the tunnel script on system B: + + + tunnel script on system B + + tunnel=tosysa +myrealip=134.28.54.2 (for GRE tunnel only) +myip=10.0.0.1 +hisip=192.168.1.1 +gateway=206.191.148.9 +subnet=192.168.1.0/24 + + + You can rename the modified tunnel scripts if you like; be sure that + they are secured so that root can execute them. + + You will need to allow traffic between the "vpn" zone and + the "loc" zone on both systems -- if you simply want to admit all + traffic in both directions, you can use the policy file: + + + /etc/shorewall/policy system A & B + + + + + SOURCE + + DEST + + POLICY + + LOG LEVEL + + + + + + loc + + vpn + + ACCEPT + + + + + + vpn + + loc + + ACCEPT + + + + + +
+ + On both systems, restart Shorewall and run the modified tunnel + script with the "start" argument on each system. The systems in + the two masqueraded subnetworks can now talk to each other +
+
\ No newline at end of file