Domain hosting, cheap domains & web page promotion services
  

 Home
Red Hat Linux 9: Red Hat Linux Security Guide
PrevChapter 6. Virtual Private NetworksNext

6.6. Configuring Clients for CIPE

After successfully configuring the CIPE server and testing for functionality, you can now deploy the connection on the client machine.

The CIPE client should be able to connect and disconnect the CIPE connection in an automated way. Therefore, CIPE contains built-in mechanisms to customize settings for individual uses. For example, a remote employee can connect to the CIPE device on the LAN by typing the following:

/sbin/ifup cipcb0

The device should automatically come up; firewall rules and routing information should also be configured along with the connection. The remote employee should be able to terminate the connection with the following:

/sbin/ifdown cipcb0

Configuring clients requires the creation of localized scripts that are run after the device has loaded. The device configuration itself can be configured locally via a user-created file called /etc/sysconfig/network-scripts/ifcfg-cipcb0. This file contains pieces of parameters that determine whether the CIPE connection occurs at boot-time, what the name of the CIPE device is, among other things. The following is the ifcfg-cipcb0 file for a remote client connecting to the CIPE server:

DEVICE=cipcb0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no

# This is the device for which we add a host route to our CIPE peer through.
# You may hard code this, but if left blank, we will try to guess from
# the routing table in the /etc/cipe/ip-up.local file.
PEERROUTEDEV=

# We need to use internal DNS when connected via cipe. 
DNS=192.168.1.254

The CIPE device is named cipcb0. The CIPE device will be loaded at boot-time (configured via the ONBOOT field) and will not use a boot protocol (for example, DHCP) to receive an IP address for the device. The PEERROUTEDEV field determines the CIPE server device name that connects to the client. If no device is specified in this field, one will be determined after the device has been loaded.

If your internal networks are behind a firewall (always a good policy), you need to set rules to allow the CIPE interface on the client machine to send and receive UDP packets. Refer to Chapter 7 Firewalls for information on configuring a firewall for Red Hat Linux. For this example configuration, iptables rules are implemented.

NoteNote
 

Clients should be configured such that all localized parameters are placed in a user-created file called /etc/cipe/ip-up.local. The local parameters should be reverted when the CIPE session is shut down using /etc/cipe/ip-down.local.

Firewalls should be configured on client machines to accept the CIPE UDP encapsulated packets. Rules may vary widely, but the basic acceptance of UDP packets is required for CIPE connectivity. The following iptables rules allow UDP CIPE transmissions on the remote client machine connecting to the LAN; the final rule adds IP Masquerading to allow the remote client to communicate to the LAN and the Internet: 

/sbin/modprobe iptables
/sbin/service iptables stop
/sbin/iptables -P INPUT REJECT
/sbin/iptables -F INPUT
/sbin/iptables -A INPUT -j ACCEPT -p udp -s 10.0.1.1
/sbin/iptables -A INPUT -j ACCEPT -i cipcb0
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

You must also add routing rules to the client machine to access the nodes behind the CIPE connection as if they were on the local network. This can be done by running the route command. For our example, the client workstation would need to add the following network route:

route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.1.2

The following shows the final /etc/cipe/ip-up.local script for the client workstation: 

#!/bin/bash -v
if [ -f /etc/sysconfig/network-scripts/ifcfg-$1 ] ; then
        . /etc/sysconfig/network-scripts/ifcfg-$1
else
        cat <<EOT | logger
Cannot find config file ifcfg-$1. Exiting.
EOF
        exit 1
fi

if [ -n ${PEERROUTEDEV} ]; then
        cat <<EOT | logger
Cannot find a default route to send cipe packets through!
Punting and hoping for the best.
EOT
        # Use routing table to determine peer gateway
        export PEERROUTEDEV=`/sbin/route -n | grep ^0.0.0.0 | head -n 1 \
           | awk '{ print $NF }'`

fi

####################################################
# Add The routes for the remote local area network #
####################################################

route add -host 10.0.1.2 dev $PEERROUTEDEV
route add -net 192.168.1.0 netmask 255.255.255.0 dev $1

####################################################
# IP TABLES Rules to restrict traffic              #
####################################################

/sbin/modprobe iptables
/sbin/service iptables stop
/sbin/iptables -P INPUT REJECT
/sbin/iptables -F INPUT
/sbin/iptables -A INPUT -j ACCEPT -p udp -s 10.0.1.2
/sbin/iptables -A INPUT -j ACCEPT -i $1
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
PrevHomeNext
CIPE Server ConfigurationUpCustomizing CIPE
 

 

 

 
 

Disclaimer: For authoritative source or latest update to this documentation, please refer to http://www.redhat.com/docs/manuals/linux/

 

 
Quotes: People who look for the easy way out seem to have trouble finding an exit.