<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <article id="GenericTunnels"> <!--$Id$--> <articleinfo> <title>Generic Tunnels</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate>2003-08-09</pubdate> <copyright> <year>2001</year> <year>2002</year> <year>2003</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <para>Shorewall includes built-in support for a wide range of VPN solutions. If you have need for a tunnel type that does not have explicit support, you can generally describe the tunneling software using <quote>generic tunnels</quote>.</para> <section> <title>Bridging two Masqueraded Networks</title> <para>Suppose that we have the following situation:</para> <graphic fileref="images/TwoNets1.png" /> <para>We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is accomplished through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is included with Shorewall.</para> <para>Suppose that you have tunneling software that uses two different protocols:</para> <orderedlist numeration="loweralpha"> <listitem> <para>TCP port 1071</para> </listitem> <listitem> <para>GRE (Protocol 47)</para> </listitem> <listitem> <para>The tunnel interface on system A is <quote>tun0</quote> and the tunnel interface on system B is also <quote>tun0</quote>.</para> </listitem> </orderedlist> <para>On each firewall, you will need to declare a zone to represent the remote subnet. We'll assume that this zone is called <quote>vpn</quote> and declare it in /etc/shorewall/zones on both systems as follows.</para> <informaltable> <tgroup cols="3"> <thead> <row> <entry align="center">ZONE</entry> <entry align="center">DISPLAY</entry> <entry align="center">COMMENTS</entry> </row> </thead> <tbody> <row> <entry>vpn</entry> <entry>VPN</entry> <entry>Remote Subnet</entry> </row> </tbody> </tgroup> </informaltable> <para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para> <informaltable> <tgroup cols="4"> <thead> <row> <entry align="center">ZONE</entry> <entry align="center">INTERFACE</entry> <entry align="center">BROADCAST</entry> <entry align="center">OPTIONS</entry> </row> </thead> <tbody> <row> <entry>vpn</entry> <entry>tun0</entry> <entry>10.255.255.255</entry> <entry></entry> </row> </tbody> </tgroup> </informaltable> <para>In /etc/shorewall/tunnels on system A, we need the following:</para> <informaltable> <tgroup cols="4"> <thead> <row> <entry align="center">TYPE</entry> <entry align="center">ZONE</entry> <entry align="center">GATEWAY</entry> <entry align="center">GATEWAY ZONE</entry> </row> </thead> <tbody> <row> <entry>generic:tcp:1071</entry> <entry>net</entry> <entry>134.28.54.2</entry> <entry></entry> </row> <row> <entry>generic:47</entry> <entry>net</entry> <entry>134.28.54.2</entry> <entry></entry> </row> </tbody> </tgroup> </informaltable> <para>These entries in /etc/shorewall/tunnels, opens the firewall so that TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will be accepted to/from the remote gateway.</para> <informaltable> <tgroup cols="4"> <thead> <row> <entry align="center">ZONE</entry> <entry align="center">INTERFACE</entry> <entry align="center">BROADCAST</entry> <entry align="center">OPTIONS</entry> </row> </thead> <tbody> <row> <entry>vpn</entry> <entry>tun0</entry> <entry>192.168.1.255</entry> <entry></entry> </row> </tbody> </tgroup> </informaltable> <para>In /etc/shorewall/tunnels on system B, we have:</para> <informaltable> <tgroup cols="4"> <thead> <row> <entry align="center">TYPE</entry> <entry align="center">ZONE</entry> <entry align="center">GATEWAY</entry> <entry align="center">GATEWAY ZONE</entry> </row> </thead> <tbody> <row> <entry>generic:tcp:1071</entry> <entry>net</entry> <entry>206.191.148.9</entry> <entry></entry> </row> <row> <entry>generic:47</entry> <entry>net</entry> <entry>134.28.54.2</entry> <entry></entry> </row> </tbody> </tgroup> </informaltable> <para>You will need to allow traffic between the <quote>vpn</quote> zone and the <quote>loc</quote> zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file:</para> <informaltable> <tgroup cols="4"> <thead> <row> <entry align="center">SOURCE</entry> <entry align="center">DEST</entry> <entry align="center">POLICY</entry> <entry align="center">LOG LEVEL</entry> </row> </thead> <tbody> <row> <entry>loc</entry> <entry>vpn</entry> <entry>ACCEPT</entry> <entry></entry> </row> <row> <entry>vpn</entry> <entry>loc</entry> <entry>ACCEPT</entry> <entry></entry> </row> </tbody> </tgroup> </informaltable> <para>On both systems, restart Shorewall and start your VPN software on each system. The systems in the two masqueraded subnetworks can now talk to each other</para> </section> </article>