1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article id="IPIP">
<!--$Id$-->
<articleinfo>
<title>GRE and IPIP Tunnels</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<year>2004</year>
<year>2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<warning>
<para>GRE and IPIP Tunnels are insecure when used over the Internet; use
them at your own risk</para>
</warning>
<para>GRE and IPIP tunneling with Shorewall can be used to bridge two
masqueraded networks.</para>
<para>The simple scripts described in the <citetitle><ulink
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping
HOWTO</ulink></citetitle> work fine with Shorewall. Shorewall also includes
a tunnel script for automating tunnel configuration. If you have installed
the RPM, the tunnel script may be found in the Shorewall documentation
directory (usually /usr/share/doc/shorewall-<version>/).</para>
<section id="Bridged">
<title>Bridging two Masqueraded Networks</title>
<para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoNets1.png" />
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file, the
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
included with Shorewall.</para>
<para>The <quote>tunnel</quote> script is not installed in /etc/shorewall
by default -- If you install using the tarball, the script is included in
the tarball; if you install using the RPM, the file is in your Shorewall
documentation directory (normally
/usr/share/doc/shorewall-<version>).</para>
<para>In the /etc/shorewall/tunnel script, set the
<quote>tunnel_type</quote> parameter to the type of tunnel that you want
to create.</para>
<example id="Tunnel">
<title>/etc/shorewall/tunnel</title>
<programlisting>tunnel_type=gre</programlisting>
</example>
<warning>
<para>If you use the PPTP connection tracking modules from Netfilter
Patch-O-Matic (ip_conntrack_proto_gre ip_conntrack_pptp,
ip_nat_proto_gre and ip_nat_pptp) then you cannot use GRE
tunnels.</para>
</warning>
<para>On each firewall, you will need to declare a zone to represent the
remote subnet. We'll assume that this zone is called <quote>vpn</quote>
and declare it in /etc/shorewall/zones on both systems as follows.</para>
<programlisting>#ZONE TYPE OPTIONS
vpn ipv4</programlisting>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
vpn tosysb 10.255.255.255</programlisting>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipip net 134.28.54.2</programlisting>
<para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
IP encapsulation protocol (4) will be accepted to/from the remote
gateway.</para>
<para>In the tunnel script on system A:</para>
<example id="TunnelA">
<title>tunnel script on system A</title>
<programlisting>tunnel=tosysb
myrealip=206.161.148.9 (for GRE tunnel only)
myip=192.168.1.1
hisip=10.0.0.1
gateway=134.28.54.2
subnet=10.0.0.0/8
</programlisting>
</example>
<para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the
<emphasis role="bold">vpn</emphasis> zone. In
/etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST
vpn tosysa 192.168.1.255</programlisting>
<para>In /etc/shorewall/tunnels on system B, we have:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipip net 206.191.148.9</programlisting>
<para>And in the tunnel script on system B:</para>
<example id="TunnelB">
<title>tunnel script on system B</title>
<programlisting>tunnel=tosysa
myrealip=134.28.54.2 (for GRE tunnel only)
myip=10.0.0.1
hisip=192.168.1.1
gateway=206.191.148.9
subnet=192.168.1.0/24</programlisting>
</example>
<para>You can rename the modified tunnel scripts if you like; be sure that
they are secured so that root can execute them.</para>
<para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone on both systems -- if you simply want to
admit all traffic in both directions, you can use the policy file:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL
loc vpn ACCEPT
vpn loc ACCEPT</programlisting>
<para>On both systems, restart Shorewall and run the modified tunnel
script with the <quote>start</quote> argument on each system. The systems
in the two masqueraded subnetworks can now talk to each other</para>
</section>
</article>
|
