IPIP tunneling with Seattle Firewall requires iproute2 - http://defiant.coinet.com/iproute2/
IPIP tunnels can be used to bridge two masqueraded networks and it can also be used to connect a mobile host to a masqueraded network.
Suppose that we have the following situation:
We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with systems in the 10.0.0.0/8 network. This is accomplished by some entries in the seawall.conf file and by modifying the "tunnel" file that is part of the Seattle Firewall distribution.
In seawall.conf on system A, we need the following:
tunnels=tosysb
gateways=134.28.54.2
nonmasq=10.0.0.0/8
In seawall.conf on system B, we would have:
tunnels=tosysa
gateways=206.161.148.9
nonmasq=192.168.1.0/24
In the tunnel script on system A, we would need:
tunnel=tosysb
myip=192.168.1.1
hisip=10.0.0.1
gateway=134.28.54.2
subnet=10.0.0.0/8
And in the tunnel script on system B:
tunnel=tosysa
myip=10.0.0.1
hisip=192.168.1.1
gateway=206.161.148.9
subnet=192.168.1.0/24
You can rename the modified tunnel scripts if you like; be sure that they are secured so that root can execute them. Then on both systems restart Seattle Firewall (type seawall restart) and run the modified tunnel script with the "start" argument (e.g., ./mytunnel start) on each system. Voila -- the systems in the two masqueraded subnetworks can now talk to each other.
IPIP can be used when you have a mobile host that you want to be able to give the host a fixed address in your masqueraded network no matter where it is actually attached to the internet.
Let's take this example:
Suppose that we want host B to have address 192.168.1.43 in the masqueraded network.
In seawall.conf on system A:
tunnels=tosysb
gateway=134.28.54.2
nonmasq=192.168.1.43
And in seawall.conf on system B:
tunnels=tosysa
gateways=206.161.148.9
nonmasq=""
In the tunnel script on system A:
tunnel=tosysb
myip=192.168.1.1
hisip=192.168.1.43
gateway=134.28.54.2
subnet=""
And in the tunnel script on system B:
tunnel=tosysaa
myip=192.168.1.43
hisip=192.168.1.43
subnet=192.168.1.0/24
You can rename the modified tunnel scripts if you like; be sure that they are secured so that root can execute them. Then on both systems restart Seattle Firewall (type seawall restart) and run the modified tunnel script with the "start" argument (e.g., ./mytunnel start) on each system. Voila -- system B now appears on the masqueraded subnet with address 192.168.1.43.
Last updated 5/6/2000 - Tom Eastep