cipe+masq.html

Linux初学者最好的老师就是howto了。相当于函数man。

</pre>   
    2.5b.  /etc/cipe/options.machineA
<p>    
<pre>
   #设备名称
   device          cip3b0
   # the peers internal (fake) ip address
   ptpaddr         10.10.1.1
   # my cipe (fake) ip address
   ipaddr          10.10.2.1
   # my real ip address and cipe port
   me              (real ip 1):(port A)
   # the peers ip address and cipe port
   peer            (real ip 2):(port A)
   #128 位元的加密 key，应予以保密
   key             (Key A)
</pre>   
    2.5c.  /etc/cipe/setroute
<p>
<pre>    
   #!/bin/sh
   #设定 routing table 的档案
   #设定 Machine A 的 routing table
   /sbin/route add -host 10.10.1.1 dev cip3b0
   /sbin/route add -net 10.10.1.0 netmask 255.255.255.0 gw 10.10.1.1
</pre>   
    2.5d.  /etc/rc.d/rc.local
<p>
<pre>    
   echo Configuring VPN network
   /usr/local/sbin/ciped -o /etc/cipe/options.machineA
   /etc/cipe/setroute
</pre>   
    2.5e.  Firewall 规则
<p>    
(以下请参照 2.4f 的注解说明)
<p>
<pre>
   #flush all incoming firewall rules and set default policy to deny
   /sbin/ipfwadm -I -f
   /sbin/ipfwadm -I -p deny
   #allow incoming packets to your network via the cipe link
   /sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #add rest of your incoming rules here
   
   #flush all outgoing firewall rules and set default policy to deny
   /sbin/ipfwadm -O -f
   /sbin/ipfwadm -O -p deny
   #allow outgoing packets to your network via the cipe link
   /sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #add rest of your outgoing rules here
   
   #flush all forwarding firewall rules and set default policy to deny
   /sbin/ipfwadm -F -f
   /sbin/ipfwadm -F -p deny
   #allow packets to be forwarded to the other networks via the cipe
   links
   /sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #allow forwarding from real ip of this machine to the real ip address
   of the other machines
   /sbin/ipfwadm -F -a accept -W eth1 -S (real ip 2) -D (real ip 1)
   #allow packets to be forwarded to the other networks via the local
   interface (fake ip address)
   /sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #add rest of your forwarding rules here
</pre>   
    2.5f.  通讯闸
<p>    
所有在 10.10.2.0 网络上的机器必须以 10.10.2.1 来当作通讯闸，如果您不是如此设定，那麽将无法正常运作。
<p>   
    2.6.  Machine C 的设定
<p>    
    2.6a.  /etc/cipe/ip-up
<p>
<pre>    
   #a trimmed down version of the sample ip-up that comes with the
   distribution
   #!/bin/sh
   umask 022
   PATH=/sbin:/bin:/usr/sbin:/usr/bin
   echo "UP $*" >> /tmp/cipe
   echo $3 > /var/run/$1.pid
   #笔者倾向于在设定 routing 时分成不同的档案来设，详述如下。
</pre>   
    2.6b.  /etc/cipe/options.machineA
<p>
<pre>    
   #设备名称
   device          cip3b0
   # the peers internal (fake) ip address
   ptpaddr         10.10.1.1
   # my cipe (fake) ip address
   ipaddr          10.10.3.1
   # my real ip address and cipe port
   me              (real ip 3):(port B)
   # the peers ip address and cipe port
   peer            (real ip 1):(port B)
   #128 位元的加密 key，应予以保密
   key             (Key B)
</pre>   
    2.6c.  /etc/cipe/setroute
<p>
<pre>    
   #!/bin/sh
   #设定 routing table 的档案
   #设定 Machine A 的 routing table
   /sbin/route add -host 10.10.1.1 dev cip3b0
   /sbin/route add -net 10.10.1.0 netmask 255.255.255.0 gw 10.10.1.1
</pre>   
    2.6d.  /etc/rc.d/rc.local
<p>
<pre>    
   echo Configuring VPN network
   /usr/local/sbin/ciped -o /etc/cipe/options.machineA
   /etc/cipe/setroute
</pre>   
    2.6e.  Firewall Rules
<p>
(以下请参照 2.4f 的注解说明)
<p>
<pre>    
   #flush all incoming firewall rules and set default policy to deny
   /sbin/ipfwadm -I -f
   /sbin/ipfwadm -I -p deny
   #allow incoming packets to your network via the cipe link
   /sbin/ipfwadm -I -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #add rest of your incoming rules here
   
   #flush all outgoing firewall rules and set default policy to deny
   /sbin/ipfwadm -O -f
   /sbin/ipfwadm -O -p deny
   #allow outgoing packets to your network via the cipe link
   /sbin/ipfwadm -O -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #add rest of your outgoing rules here
   
   #flush all forwarding firewall rules and set default policy to deny
   /sbin/ipfwadm -F -f
   /sbin/ipfwadm -F -p deny
   #allow packets to be forwarded to the other networks via the cipe
   links
   #this machine to the real ip address of the other machines
   /sbin/ipfwadm -F -a accept -W cip3b0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #allow forwarding from real ip of this machine to the real ip address
   of the other machine
   /sbin/ipfwadm -F -a accept -W eth1 -S (real ip 3) -D (real ip 1)
   #allow packets to be forwarded to the other networks via the local
   interface (fake ip address)
   /sbin/ipfwadm -F -a accept -W eth0 -S 10.10.0.0/16 -D 10.10.0.0/16
   #add rest of your forwarding rules here
</pre>   
    2.6f.  通讯闸
<p>    
所有在 10.10.3.0 网络上的机器必须以 10.10.3.1 来当作通讯闸，如果您不是如此设定，那麽将无法正常运作。
<p>   
  3.  启动
<p>  
在每台机器上手动地执行被增加到 rc.local 的指令
<p>   
  4.  连接到 WAN.
<p>  
设定到此为止，您的 WAN应该能够顺利连接。您可以试著去 ping其他网络上的机器。而下一个步骤，即是让您的网络能够以 SAMBA 来彼此互相存取。有一些小提示： lmhosts 或 wins server是必须的，特别是在 NT 底下。笔者已经实地设定成功过，但不打算在本篇文章中介绍这个部分。
<p>   
5.  参考文件：
<p>
    5.1.  Web 网址
<p>
<pre>    
   Cipe HomePage     <a href="javascript:if(confirm('http://sites.inka.de/~bigred/devel/cipe.html  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://sites.inka.de/~bigred/devel/cipe.html'" tppabs="http://sites.inka.de/~bigred/devel/cipe.html">http://sites.inka.de/~bigred/devel/cipe.html</a>
   Masq Home Page    <a href="javascript:if(confirm('http://ipmasq.home.ml.org/  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://ipmasq.home.ml.org/'" tppabs="http://ipmasq.home.ml.org/">http://ipmasq.home.ml.org</a>
   Samba Home Page   <a href="javascript:if(confirm('http://samba.anu.edu.au/  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://samba.anu.edu.au/'" tppabs="http://samba.anu.edu.au/">http://samba.anu.edu.au</a>
   Linux HQ          <a href="javascript:if(confirm('http://www.linuxhq.com/  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://www.linuxhq.com/'" tppabs="http://www.linuxhq.com/">http://www.linuxhq.com</a> --- 一个关于Linux信息的不错网站
</pre>
    5.2.  文件
<p>    
   cipe.info: 包含有关cipe软件套件信息的档案
   Firewall HOWTO,由Mark Grennan <markg@netplus.net>所著
   IP Masquerade mini-HOWTO, 由Ambrose Au <ambrose@writeme.com>所著
<p>
参考：
<pre>
   1. http://sites.inka.de/~bigred/sw/cipe-1.0.0.tar.gz
   2. http://sites.inka.de/~bigred/devel/cipe.html
   3. http://ipmasq.home.ml.org/
   4. http://samba.anu.edu.au/
   5. http://www.linuxhq.com/
</pre>
  </BODY>