Seattle Firewall

IPIP Tunneling -- Version 3.1 and later


WARNING: IPIP Tunnels are insecure when used over the internet; use them at your own risk

IPIP tunneling with Seattle Firewall requires iproute2 - http://defiant.coinet.com/iproute2/

IPIP tunnels can be used to bridge two masqueraded networks and it can also be used to connect a mobile host to a masqueraded network.


Bridging two Masqueraded Networks

Suppose that we have the following situation:

We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with systems in the 10.0.0.0/8 network. This is accomplished an entry in /etc/seawall/tunnels and by modifying the "tunnel" file that is part of the Seattle Firewall distribution.

In /etc/seawall/tunnels on system A, we need the following

TYPE GATEWAY NAME/SERVER SUBNET
ipip 134.28.54.2 tosysb 10.0.0.0/8

In /etc/seawall/tunnels on system B, we would have:

TYPE GATEWAY NAME/SERVER SUBNET
ipip 206.161.148.0 tosysa 192.168.1.0/24

In the tunnel script on system A, we would need:

tunnel=tosysb
myip=192.168.1.1
hisip=10.0.0.1
gateway=134.28.54.2
subnet=10.0.0.0/8

And in the tunnel script on system B:

tunnel=tosysa
myip=10.0.0.1
hisip=192.168.1.1
gateway=206.161.148.9
subnet=192.168.1.0/24

You can rename the modified tunnel scripts if you like; be sure that they are secured so that root can execute them. Then on both systems restart Seattle Firewall (type seawall restart) and run the modified tunnel script with the "start" argument (e.g., ./mytunnel start) on each system. Voila -- the systems in the two masqueraded subnetworks can now talk to each other.


Mobile Host

IPIP can be used when you have a mobile host that you want to be able to give the host a fixed address in your masqueraded network no matter where it is actually attached to the internet.

Let's take this example:

Suppose that we want host B to have address 192.168.1.43 in the masqueraded network.

In /etc/seawall/tunnels on system A:

TYPE GATEWAY NAME/SERVER SUBNET
ipip 134.28.54.2 tosysb 192.168.1.42/32

And on /etc/seawall/tunnels on system B:

TYPE GATEWAY NAME/SERVER SUBNET
ipip 206.161.148.9 tosysa  

In the tunnel script on system A:

tunnel=tosysb
myip=192.168.1.1
hisip=192.168.1.43
gateway=134.28.54.2
subnet=""

And in the tunnel script on system B:

tunnel=tosysaa
myip=192.168.1.43
hisip=192.168.1.43
subnet=192.168.1.0/24

You can rename the modified tunnel scripts if you like; be sure that they are secured so that root can execute them. Then on both systems restart Seattle Firewall (type seawall restart) and run the modified tunnel script with the "start" argument (e.g., ./mytunnel start) on each system. Voila -- system B now appears on the masqueraded subnet with address 192.168.1.43.


Last updated 5/20/2000 - Tom Eastep