Now that your users have access to the system, we need to make sure that
they have access to the network. We do that by using the Linux kernel's
firewalling rules and routing tables. Using the route and
ipfwadm commands, we can set up the kernel to handle network
traffic in the appropriate ways. For more info on ipfwadm,
ipchains and route see the
Linux Networking HOWTO.
In order for any of this to work, you must have your kernel configured
correctly. If you don't know how to build your own kernel, then you
should read the
Kernel HOWTO. You'll need to make sure that the following kernel options
are turned on in addition to basic networking. I use a 2.0.38 kernel
in my system.
For 2.0 kernels:
For 2.2 kernels:
CONFIG_FIREWALL
CONFIG_IP_ADVANCED_ROUTER
CONFIG_IP_FIREWALL
CONFIG_IP_ROUTER
CONFIG_IP_MASQUERADE (optional)
CONFIG_IP_MASQUERADE_ICMP (optional)
CONFIG_PPP
First, we write firewall filter rules that allow our users to access our
internal nets, while restricting them from accessing the outside
internet. This sounds strange, but since the users
already have access to the internet, why let them use the tunnel to
access the net? It wastes both bandwidth and processor resources.
The filter rules that we use depend upon which internal nets we use,
but translate to: "Allow traffic coming from our VPNs that is
destined for our internal nets to go there." So how do we do that?
As always, it depends. If you are running a 2.0 kernel, you use the
tool called ipfwadm, but if you are using a
2.2 kernel, you use the utility called ipchains.
To set the rules with ipfwadm, run it with options similar to
the following:
# /sbin/ipfwadm -F -f
# /sbin/ipfwadm -F -p deny
# /sbin/ipfwadm -F -a accept -S 192.168.13.0/24 -D 172.16.0.0/12
|
To set the rules with ipchains, run it with options similar to
the following:
# /sbin/ipchains -F forward
# /sbin/ipchains -P forward DENY
# /sbin/ipchains -A forward -j ACCEPT -s 192.168.13.0/24 -d 172.16.0.0/12
|
For those using 2.2 kernels, please read Section 6.1.3.
Now that users are allowed to access our nets, we need to tell
the kernel where to send the packets. On my system, I have two ethernet
cards, one is on the external network, while the other is on the
internal network. This helps keep things secure, as outbound traffic is
masqueraded by the gateway, and any incoming traffic is filtered and
routed by the Cisco Router. For most setups, the routing should be simple.
Next, route all traffic destined for the private networks out the
internal interface, and all other traffic out the external interface. The
specific routing commands depend on which internal nets you are using.
Below is an example of what they might look like. These lines are of course
in addition to your basic routes for your local nets. I also doubt that you
are using all 3 groups of internal numbers:
Assuming that 172.16.254.254 is the internal gateway:
# /sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 172.16.254.254 dev eth1
# /sbin/route add -net 172.16.0.0 netmask 255.240.0.0 gw 172.16.254.254 dev eth1
# /sbin/route add -net 192.168.0.0 netmask 255.255.0.0 gw 172.16.254.254 dev eth1
|
One additional note on routing. If you are using two way routing for
say, a remote office, then you will need to do one more thing. You
need to set up routes on the server that point back to the client. The
easiest way to accomplish this is to run a cron job every minute that
quietly sets back routes. If the client is not
connected, route will just spit out an error (that you've
conveniently sent to /dev/null.)