Shorewall 1.1 IPIP Tunnels


Warning: IPIP Tunnels are insecure when used over the internet; use them at your own risk

IPIP tunneling with Shorewall requires iproute2 and can be used to bridge two masqueraded networks. 


Bridging two Masqueraded Networks

Suppose that we have the following situation:

We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is accomplished through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is included with Shorewall.

On system A, the 10.0.0.0/8 will comprise the gw zone. In /etc/shorewall/interfaces:

ZONE INTERFACE BROADCAST OPTIONS
gw tosysb 10.255.255.255  

In /etc/shorewall/tunnels on system A, we need the following:

TYPE ZONE GATEWAY GATEWAY ZONE
ipip net 134.28.54.2  

In the tunnel script on system A:

tunnel=tosysb
myip=192.168.1.1
hisip=10.0.0.1
gateway=134.28.54.2
subnet=10.0.0.0/8

Similarly, On system B the 192.168.1.0/24 subnet will comprise the gw zone. In /etc/shorewall/interfaces:

ZONE INTERFACE BROADCAST OPTIONS
gw tosysa 192.168.1.255  

In /etc/shorewall/tunnels on system B, we have:

TYPE ZONE GATEWAY GATEWAY ZONE
ipip net 206.191.148.9  

And in the tunnel script on system B:

tunnel=tosysa
myip=10.0.1
hisip=192.168.1.1
gateway=206.191.148.9
subnet=192.168.1.0/24

You can rename the modified tunnel scripts if you like; be sure that they are secured so that root can execute them. On both systems, restart Shorewall and run the modified tunnel script with the "start" argument on each system. The systems in the two masqueraded subnetworks can now talk to each other


Updated 6/23/2001 - Tom Eastep