  The Linux Cipe+Masquerading mini-HOWTO
  Anthony Ciaravalo, acj@home.com
  v1.2, 21 April 1999
    hisai@din.or.jp
  xx Jul 1999

  linux ̃}XJ[fBO ^Cṽt@CA[EH[ł Cipe 
  g VPN \z@łB
  ______________________________________________________________________

  ڎ

  1. _
     1.1 쌠ɂ
     1.2 Ƃ
     1.3 tB[hobN
     1.4 cipe ɓɂ
     1.5 t@CA[EH[̐ݒ
     1.6 VPN lbg[N̍\}
     1.7 VPN lbg[N̍\}̒
     1.8 ݒXNvg VPN ɂĂ̕⑫̐

  2. }V A ŗL̐ݒ
     2.1 /etc/cipe/options.machineB
     2.2 /etc/cipe/options.machineC
     2.3 /etc/rc.d/rc.cipe
     2.4 Q[gEGC

  3. }V B ŗL̐ݒ
     3.1 /etc/cipe/options.machineA
     3.2 /etc/rc.d/rc.cipe
     3.3 Q[gEGC

  4. }V C ŗL̐ݒ
     4.1 /etc/cipe/options.machineA
     4.2 /etc/rc.d/rc.cipe
     4.3 Q[gEGC

  5. }Vʂ̐ݒ
     5.1 /etc/cipe/ip-up
        5.1.1 J[l 2.0, ipfwadm, cipe 1.0.x ̏ꍇ
        5.1.2 J[l 2.1/2.2, ipchains, cipe 1.2.x ̏ꍇ
     5.2 /etc/cipe/ip-down
        5.2.1 J[l 2.0, ipfwadm, cipe 1.0.x ̏ꍇ
        5.2.2 J[l 2.1/2.2, ipchains, cipe 1.2.x ̏ꍇ

  6. }XJ[fBOɂt@CA[EH[ XNvg̗
     6.1 J[l 2.0, ipfwadm ̏ꍇ
     6.2 J[l 2.1/2.2, ipchains ̏ꍇ

  7. SĂ̋@\Lɂ
  8. WAN ւ̐ڑ
  9. Ql
     9.1 EGbuETCg
     9.2 hLg

  ______________________________________________________________________

  1.  _

  ̃hLg the Linux Cipe+Masquerading mini-HOWTO łBȂ
   LAN Ƒ LAN ̊Ԃ linux ̃}XJ[fBO ^Cṽt@CA[
  EH[ł Cipe gāAo[`EvCx[gElbg[N
  \z@܂B}XJ[fBO ^Cṽt@CA[EH[
  ̐ݒ킹ďЉ܂B

  1.1.  쌠ɂ

  C)opyright 1998, 1999 Anthony Ciaravalo, acj@home.com

  ̃hLg̒쌠 (C)opyright 1998, 1999 Anthony Ciaravalo,
  acj@home.com ۗLĂ܂B

  ɖLȂALinux HOWTO hLg̒쌠͂ꂼ̒҂
  ۗLĂ܂BLinux HOWTO hLg̑Ŝ邢͈ꕔ́AI
  ͓dqIȕєzz\łB̒쌠\ׂĂ
  Rs[ɕtKv܂BƔzz\łA܂𐄏
  B҂ɂ͂̎|AĂB

  Linux HOWTO hLgɊւ邷ׂĂ̖|ACѕҏW̌ʂ́A
  ׂĂ̒쌠\ɂȂ΂Ȃ܂B܂肱 HOWTO 
  CɁAzzɐ邱Ƃ͂ł܂BOƂ
  KȏCłƔfꂽꍇ͐邱Ƃł܂B܂ Linux
  HOWTO ̃R[fBl[^ɘAĂBAhXLɂ܂B

  ^₪ Linux HOWTO ̃R[fBl[^ Tim Bynum ɘAƂ
  BÁAtjbynum@wallybox.cei.net  linux-
  howto@metalab.unc.edu łB

  1.2.  Ƃ

  ̐ӔCɂāÃhLgɏĂeQl𗘗p
  ĂB
  C^[lbgoRălbg[N𑊌݂ɐڑꍇAZLeB
  Ȃ΂ȂȂ肪܂BÍ
  AɃt@CA[EH[ݒ肵Ă΁AsȐN
  ƂɂȂ肩˂܂Bcipe ɂڑ邱ƂŁA̕ss
  ׂ\hł܂B S 100 % ۏ؂邱Ƃ͂ł܂B҂
  ̃hLgŒ񋟂ĂSȃlbg[NɂāAȂ
  ۏ؂܂B\Ȍ萳mɋLq悤ɓw߂܂
  ÃhLg̏ɂƂÂčssׂɂĐA
  QɂĂؐӔC܂B

  1.3.  tB[hobN

  ^RgAĂ͒΁Aacj@home.com܂łA
  B

  1.4.  cipe ɓɂ

  ̃hLǵACipe 1.0.1  1.0.2 x[XɏĂ܂BQl
  ̃ZNVɂ Cipe ̃z[Ey[WQƂĂB

  1.5.  t@CA[EH[̐ݒ

  ̃hLg͂łɂȂ IP }XJ[fBOT|[gJ
  [lĂ邱ƂOɂĂ܂Blinux Ńt@CA[EH[@
  \J[l\z@ɂẮAQlQƂĂ
  B

  1.6.  VPN lbg[N̍\}

  ƂȂlbg[ŃAnugpăX^[^ɐڑĂ܂B
  cipe ɂڑ̓}V A }V B  }V A }V C ƂȂ
  ܂B

       ______________________________________________________________________

                          Machine A
                       eth0: 192.168.1.1
                       eth1: real ip 1
                      /               \
                     /                 \
            Machine B                  Machine C
          eth0: 192.168.2.1           eth0:192.168.3.1
          eth1: real ip 2             eth1: real ip 3
       ______________________________________________________________________

  1.7.  VPN lbg[N̍\}̒

       ______________________________________________________________________
       eth0 ̓[JElbg[N(_~[̃AhX)
       eth1 ̓C^[lbgEAhX(ȃAhX)

       Port A ͂Ȃ̊ɂĖ肪Ȃ|[gB
       Port B ͂Ȃ̊ɂĖ肪Ȃ A ȊÕ|[gB

       Key A ͂Ȃ̊ɂăj[NȎʃL[(ڂ cipe
             ̃hLgĂ)B
       Key B ͂Ȃ̊ɂăj[N A ȊO̎ʃL[B
       ______________________________________________________________________

  1.8.  ݒXNvg VPN ɂĂ̕⑫̐

  ip-up ̃XNvg cipe ̃C^[tF[XoRNX C lbg
  [N̐ڑ肵Ă܂B}V B ƃ}V C łƂ肵
  ȂA ip-up  ip-down ̃XNvgK؂ɏCKv
  B ptpaddr  myaddr ̃lbg}XNC邱Ƃ؂łB2
   ip-up XNvgڂĂ܂Aipchains gꍇ
  ipfwadm gꍇ̗łB ip-down XNvglłBcipe C
  ^[tF[XɓoA܂̓tH[fBOʐMɑ΂Ă
  Ăt@CA[EH[̃[ɂĂlbg}XN 24 rbg
  16 rbgɐCKv܂B ipfwadm p ip-up XNv
  gŏCt@CA[EH[̃[ ip-down XNvgɂf
  Ă邱ƂmFĂB܂C^[tF[X_Eꍇ
  ́A̐ݒ肪ԈႢȂ폜邱ƂmFĂB ipchains 
  ݒt@C̏ꍇ͂ǂƂƁAǉĂ ip-down ɂ͕ύX
  Kv͂܂B ip-down [Uݒ肵[Săt
  bV邩łB

  ܂ ̃lbg[Nփ[eBOł悤ɁArc.cipe ɂ}V
   B  C ւ̃[eBOɊւLqRgAEgKv
  B
  2.  }V A ŗL̐ݒ

  2.1.  /etc/cipe/options.machineB

       ______________________________________________________________________

       #uncomment 1 below
       #name for cipe 1.0.x
       #device          cip3b0
       #name for cipe 1.2.x
       device          cipcb0

       # remote internal (fake) ip address
       ptpaddr         192.168.2.1
       # my cipe (fake) ip address
       ipaddr          192.168.1.1
       # my real ip address and cipe port
       me              (real ip 1):(port A)
       # remote real ip address and cipe port
       peer            (real ip 2):(port A)
       #unique 128 bit key
       key             (Key A)
       ______________________________________________________________________

  2.2.  /etc/cipe/options.machineC

       ______________________________________________________________________

       #uncomment 1 below
       #name for cipe 1.0.x
       #device          cip3b1
       #name for cipe 1.2.x
       device          cipcb1

       # remote internal (fake) ip address
       ptpaddr         192.168.3.1
       # my cipe (fake) ip address
       ipaddr          192.168.1.1
       # my real ip address and cipe port
       me              (real ip 1):(port B)
       # remote real ip address and cipe port
       peer            (real ip 3):(port B)
       #unique 128 bit key
       key             (Key B)
       ______________________________________________________________________

  2.3.  /etc/rc.d/rc.cipe

  ______________________________________________________________________

  !#/bin/bash
  #rc.cipe  3/29/1999
  #Send questions or comments to acj@home.com.

  #Setup script path
  PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"

  #Options filenames in cipe directory for cipe interfaces
  options="options.machineB options.machineC"

  #Automatically obtain options filenames from cipe directory
  #options=`/bin/ls /etc/cipe/options.*`

  #Uncomment 1 below for the cipe module name
  #cipemod="cip3b"        #for cipe 1.0
  cipemod="cipcb"        #for cipe 1.2

  #Check for cipe module and load if not already loaded
  grep $cipemod /proc/modules >/dev/null
  if [ "$?" = "1" ]; then
          echo Loading cipe module.
          modprobe $cipemod
          if [ "$?" = "1" ]; then
                  echo Error loading cipe module...exiting.
                  exit
          fi
  else
          echo Cipe module already loaded.
  fi

  #Remove any existing cipe interfaces
  cipeif=`cat /proc/net/dev | cut -f1 -d: | grep $cipemod`

  if [ "$cipeif" != "" ]; then
          echo Removing existing cipe interface(s).
          for i in $cipeif; do
                  ifconfig $i down
          done
  fi

  #Setup cipe interfaces
  echo -n "Setting up cipe interface(s): "
  for config in $options; do
          echo -n $config" "
          ciped -o $config
  done
  echo
  echo

  #Add routes for other remote networks via cipe interface(s)
  #route add -net x.x.x.x netmask x.x.x.x gw x.x.x.x

  ______________________________________________________________________

  2.4.  Q[gEGC

  192.168.1.0 ̃lbg[NɂSẴ}V́A192.168.1.1 Q[gE
  GCƂȂ΂܂BȂƂ܂܂B

  3.  }V B ŗL̐ݒ

  3.1.  /etc/cipe/options.machineA

       ______________________________________________________________________

       #uncomment 1 below
       #name for cipe 1.0.x
       #device          cip3b0
       #name for cipe 1.2.x
       device          cipcb0

       #remote internal (fake) ip address
       ptpaddr         192.168.1.1
       # my cipe (fake) ip address
       ipaddr          192.168.2.1
       # my real ip address and cipe port
       me              (real ip 1):(port A)
       # remote real ip address and cipe port
       peer            (real ip 2):(port A)
       #unique 128 bit key
       key             (Key A)
       ______________________________________________________________________

  3.2.  /etc/rc.d/rc.cipe

  ______________________________________________________________________

  !#/bin/bash
  #rc.cipe  3/29/1999
  #Send questions or comments to acj@home.com.

  #Setup script path
  PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"

  #Options filenames in cipe directory for cipe interfaces
  options="options.machineA"

  #Automatically obtain options filenames from cipe directory
  #options=`/bin/ls /etc/cipe/options.*`

  #Uncomment 1 below for the cipe module name
  #cipemod="cip3b"        #for cipe 1.0
  cipemod="cipcb"        #for cipe 1.2

  #Check for cipe module and load if not already loaded
  grep $cipemod /proc/modules >/dev/null
  if [ "$?" = "1" ]; then
          echo Loading cipe module.
          modprobe $cipemod
          if [ "$?" = "1" ]; then
                  echo Error loading cipe module...exiting.
                  exit
          fi
  else
          echo Cipe module already loaded.
  fi

  #Remove any existing cipe interfaces
  cipeif=`cat /proc/net/dev | cut -f1 -d: | grep $cipemod`

  if [ "$cipeif" != "" ]; then
          echo Removing existing cipe interface(s).
          for i in $cipeif; do
                  ifconfig $i down
          done
  fi

  #Setup cipe interfaces
  echo -n "Setting up cipe interface(s): "
  for config in $options; do
          echo -n $config" "
          ciped -o $config
  done
  echo
  echo

  #Add routes for other remote networks via cipe interface(s)
  #route add -net x.x.x.x netmask x.x.x.x gw x.x.x.x
  #route to machine C network
  #route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.1
  ______________________________________________________________________

  3.3.  Q[gEGC

  192.168.2.0 ̃lbg[NɂSẴ}V́A192.168.2.1 Q[gE
  GCƂȂ΂܂BȂƂ܂܂B

  4.  }V C ŗL̐ݒ

  4.1.  /etc/cipe/options.machineA

       ______________________________________________________________________

       #uncomment 1 below
       #name for cipe 1.0.x
       #device          cip3b0
       #name for cipe 1.2.x
       device          cipcb0

       #remote internal (fake) ip address
       ptpaddr         192.168.1.1
       # my cipe (fake) ip address
       ipaddr          192.168.3.1
       # my real ip address and cipe port
       me              (real ip 3):(port B)
       #remote real ip address and cipe port
       peer            (real ip 1):(port B)
       #unique 128 bit key
       key             (Key B)
       ______________________________________________________________________

  4.2.  /etc/rc.d/rc.cipe

  ______________________________________________________________________

  !#/bin/bash
  #rc.cipe  3/29/1999
  #Send questions or comments to acj@home.com.

  #Setup script path
  PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"

  #Options filenames in cipe directory for cipe interfaces
  options="options.machineA"

  #Automatically obtain options filenames from cipe directory
  #options=`/bin/ls /etc/cipe/options.*`

  #Uncomment 1 below for the cipe module name
  #cipemod="cip3b"        #for cipe 1.0
  cipemod="cipcb"        #for cipe 1.2

  #Check for cipe module and load if not already loaded
  grep $cipemod /proc/modules >/dev/null
  if [ "$?" = "1" ]; then
          echo Loading cipe module.
          modprobe $cipemod
          if [ "$?" = "1" ]; then
                  echo Error loading cipe module...exiting.
                  exit
          fi
  else
          echo Cipe module already loaded.
  fi

  #Remove any existing cipe interfaces
  cipeif=`cat /proc/net/dev | cut -f1 -d: | grep $cipemod`

  if [ "$cipeif" != "" ]; then
          echo Removing existing cipe interface(s).
          for i in $cipeif; do
                  ifconfig $i down
          done
  fi

  #Setup cipe interfaces
  echo -n "Setting up cipe interface(s): "
  for config in $options; do
          echo -n $config" "
          ciped -o $config
  done
  echo
  echo

  #Add routes for other remote networks via cipe interface(s)
  #route add -net x.x.x.x netmask x.x.x.x gw x.x.x.x
  #route to machine B network
  #route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1
  ______________________________________________________________________

  4.3.  Q[gEGC

  192.168.2.0 ̃lbg[NɂSẴ}V́A192.168.2.1 Q[gE
  GCƂȂ΂܂BȂƂ܂܂B

  5.  }Vʂ̐ݒ

  5.1.  /etc/cipe/ip-up

  5.1.1.  J[l 2.0, ipfwadm, cipe 1.0.x ̏ꍇ

  ______________________________________________________________________

  #!/bin/bash
  # ip-up <interface> <myaddr> <daemon-pid> <local> <remote> <arg>
  #3/29/1999
  #An example ip-up script for the older 1.x 2.x kernels using ipfwadm that
  #will setup routes and firewall rules to connect your local class c network
  #to a remote class c network.

  #The rules are configured to prevent spoofing and stuffed routing between
  #the networks.  There are also additional security enhancements commented
  #out towards the bottom of the script.
  #Send questions or comments to acj@home.com.

  #--------------------------------------------------------------------------
  #Set some script variables
  device=$1               # the CIPE interface
  me=$2                   # our UDP address
  pid=$3                  # the daemon's process ID
  ipaddr=$4               # IP address of our CIPE device
  vptpaddr=$5              # IP address of the remote CIPE device
  option=$6               # argument supplied via options

  PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"

  #comment/uncomment to enable/disbale kernel logging for all unauthorized
  #access attempts. Must be same as ip-down script in order to remove rules.
  log="-o"

  #--------------------------------------------------------------------------
  umask 022

  # just a logging example
  #echo "UP   $*" >> /var/adm/cipe.log

  # many systems like these pid files
  #echo $3 > /var/run/$device.pid

  #--------------------------------------------------------------------------

  #add route entry for remote cipe network
  network=`expr $ptpaddr : '\([0-9]*\.[0-9]*\.[0-9]*\.\)'`0
  route add -net $network netmask 255.255.255.0 dev $device

  #need to add route entry for host in 2.0 kernels
  route add -host $ptpaddr dev $device

  #--------------------------------------------------------------------------
  #cipe interface incoming firewall rules
  #must be inserted into list in reverse order

  #deny all other incoming packets to cipe interface
  ipfwadm -I -i deny -W $device -S 0/0 -D 0/0 $log

  #accept incoming packets from remotenet to localnet on cipe interface
  ipfwadm -I -i accept -W $device -S $ptpaddr/24 -D $ipaddr/24

  #accept incoming packets from localnet to remotenet on cipe interface
  ipfwadm -I -i accept -W $device -S $ipaddr/24 -D $ptpaddr/24

  #deny incoming packets, cipe interface, claiming to be from localnet; log
  ipfwadm -I -i deny -W $device -S $ipaddr/24 -D $ipaddr/24 $log

  #--------------------------------------------------------------------------
  #cipe interface outgoing firewall rules
  #must be inserted into list in reverse order
  #deny all other outgoing packets from cipe interface
  ipfwadm -O -i deny -W $device -S 0/0 -D 0/0 $log

  #accept outgoing from remotenet to localnet on cipe interface
  ipfwadm -O -i accept -W $device -S $ptpaddr/24 -D $ipaddr/24

  #accept outgoing from localnet to remotenet on cipe interface
  ipfwadm -O -i accept -W $device -S $ipaddr/24 -D $ptpaddr/24

  #deny outgoing to localnet from localnet, cipe interface, deny; log
  ipfwadm -O -i deny -W $device -S $ipaddr/24 -D $ipaddr/24 $log

  #--------------------------------------------------------------------------
  #The forwarding is configured so machines on your local network do not get
  #masqueraded to the remote network.  This provides better access control
  #between networks.  Must be inserted into list in reverse order

  #deny all other forwarding through cipe interface; log
  ipfwadm -F -i deny -W $device -S 0/0 -D 0/0 $log

  #accept forwarding from remotenet to localnet on cipe interfaces
  ipfwadm -F -i accept -W $device -S $ptpaddr/24 -D $ipaddr/24

  #accept forwarding from localnet to remotenet on cipe interfaces
  ipfwadm -F -i accept -W $device -S $ipaddr/24 -D $ptpaddr/24

  #--------------------------------------------------------------------------
  #Make sure forwarding is enabled in the kernel. The kernel by default may
  #have forwarding disabled.
  /bin/echo 1 > /proc/sys/net/ipv4/ip_forward

  #--------------------------------------------------------------------------
  #Optional security enhancement - set default forward policy to
  #DENY or REJECT.  If your forwarding default policy is DENY/REJECT
  #you will need to add the following rules to your main forward chain.  It
  #is a good idea to have all default policies set for DENY or
  #REJECT.

  #define machine interfaces
  #localif="eth0"
  #staticif="eth1"                ;cable modem users
  #staticif="ppp0"                ;dialup users

  #a real sloppy way to get the peer ip address from the options file - a new
  #argument with peer ip:port passed to script would be nice.
  #both lines need to be uncommented
  #peerfile=`grep $device /etc/cipe/options.* | cut -f1 -d:`
  #peer=`grep peer $peerfile | cut -f1 -d: | awk '{print $2}'`

  #must log peer ip address for ip-down script
  #echo $peer > /var/run/$device.peerip

  #accept forwarding from localnet to remotenet on internal network interface
  #ipfwadm -F -i accept -W $localif -S $ipaddr/24 -D $ptpaddr/24
  #accept forwarding from remotenet to localnet on internal network interface
  #ipfwadm -F -i accept -W $localif -S $ptpaddr/24 -D $ipaddr/24
  #accept forwarding on staticif from me to peer
  #myaddr=`echo $me | cut -f1 -d:`
  #ipfwadm -F -i accept -W $staticif -S $myaddr -D $peer
  #--------------------------------------------------------------------------
  #Other optional security enhancement
  #block all incoming requests from everywhere to our cipe udp port
  #except our peer's udp port

  #need to determine udp ports for the cipe interfaces
  #get our udp port
  #if [ "$option" = "" ]; then
  #       myport=`echo $me | cut -f2 -d:`
  #else
  #       myport=$option
  #fi

  #get remote udp port -- peerfile variable must be set above
  #peerport=`grep peer $peerfile | cut -f2 -d:`

  #must log peer udp port for ip-down script
  #echo $peerport > /var/run/$device.peerport

  #get our ip address
  #myaddr=`echo $me | cut -f1 -d:`

  #deny and log all requests to cipe udp port must be inserted first
  #ipfwadm -I -i deny -P udp -W $staticif -S 0/0 -D $myaddr $myport $log
  #accept udp packets from peer at udp cipe port to my udp cipe port
  #ipfwadm -I -i accept -P udp -W $staticif -S $peer $peerport \
  #-D $myaddr $myport

  exit 0
  ______________________________________________________________________

  5.1.2.  J[l 2.1/2.2, ipchains, cipe 1.2.x ̏ꍇ

  ______________________________________________________________________

  #!/bin/bash
  # ip-up <interface> <myaddr> <daemon-pid> <local> <remote> <arg>
  #3/29/1999
  #An example ip-up script for the newer 2.1/2.2 kernels using ipchains that
  #will setup routes and firewall rules to connect your local class c network
  #to a remote class c network.  This script creates 3 user defined chains
  #-input, output, and forward - for each cipe interface, based on the
  #interface name. It will then insert a rule into each of the built-in
  #input, output, and forward chains to use the user defined chains. The
  #rules are configured to prevent spoofing and stuffed routing between the
  #networks. There are also additional security enhancements commented out
  #towards the bottom of the script.
  #Send questions or comments to acj@home.com.

  #--------------------------------------------------------------------------

  #Set some script variables
  device=$1               # the CIPE interface
  me=$2                   # our UDP address
  pid=$3                  # the daemon's process ID
  ipaddr=$4               # IP address of our CIPE device
  ptpaddr=$5              # IP address of the remote CIPE device
  option=$6               # argument supplied via options

  PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"

  #comment/uncomment to enable/disbale kernel logging for all unauthorized
  #access attempts. Must be same as ip-down script in order to remove rules.
  log="-l"

  #--------------------------------------------------------------------------
  umask 022
  # just a logging example
  #echo "UP   $*" >> /var/adm/cipe.log

  # many systems like these pid files
  #echo $3 > /var/run/$device.pid

  #--------------------------------------------------------------------------
  #add route entry for remote cipe network
  network=`expr $ptpaddr : '\([0-9]*\.[0-9]*\.[0-9]*\.\)'`0
  route add -net $network netmask 255.255.255.0 dev $device

  #--------------------------------------------------------------------------
  #create new ipchain for cipe interface input rules
  ipchains -N $device"i"
  #flush all rules in chain (sanity flush)
  ipchains -F $device"i"
  #deny incoming packets, cipe interface, claiming to be from localnet; log
  ipchains -A $device"i" -j DENY -i $device -s $ipaddr/24 -d $ipaddr/24 $log
  #accept incoming packets from localnet to remotenet on cipe interface
  ipchains -A $device"i" -j ACCEPT -i $device -s $ipaddr/24 -d $ptpaddr/24
  #accept incoming packets from remotenet to localnet on cipe interface
  ipchains -A $device"i" -j ACCEPT -i $device -s $ptpaddr/24 -d $ipaddr/24
  #deny all other incoming packets
  ipchains -A $device"i" -j DENY -s 0/0 -d 0/0 $log

  #--------------------------------------------------------------------------
  #create new ipchain for cipe interface output rules
  ipchains -N $device"o"
  #flush all rules in chain (sanity flush)
  ipchains -F $device"o"
  #deny outgoing to localnet from localnet, cipe interface, deny; log
  ipchains -A $device"o" -j DENY -i $device -s $ipaddr/24 -d $ipaddr/24 $log
  #accept outgoing from localnet to remotenet on cipe interface
  ipchains -A $device"o" -j ACCEPT -i $device -s $ipaddr/24 -d $ptpaddr/24
  #accept outgoing from remotenet to localnet on cipe interface
  ipchains -A $device"o" -j ACCEPT -i $device -s $ptpaddr/24 -d $ipaddr/24
  #deny all other outgoing packets
  ipchains -A $device"o" -j DENY -s 0/0 -d 0/0 $log

  #--------------------------------------------------------------------------
  #The forward chain is configured so machines on your local network do not
  #get masqueraded to the remote network.  This provides better access
  #control between networks.

  #create new ipchain for cipe interface forward rules
  ipchains -N $device"f"
  #flush all rules in chain (sanity flush)
  ipchains -F $device"f"
  #accept forwarding from localnet to remotenet on cipe interfaces
  ipchains -A $device"f" -j ACCEPT -i $device -s $ipaddr/24 -d $ptpaddr/24
  #accept forwarding from remotenet to localnet on cipe interfaces
  ipchains -A $device"f" -j ACCEPT -i $device -s $ptpaddr/24 -d $ipaddr/24
  #deny all other forwarding; log
  ipchains -A $device"f" -j DENY -s 0/0 -d 0/0 $log

  #--------------------------------------------------------------------------
  #Make sure forwarding is enabled in the kernel. New kernels by default have
  #forwarding disabled.
  /bin/echo 1 > /proc/sys/net/ipv4/ip_forward

  #--------------------------------------------------------------------------
  #insert rules to main input, output, and forward chains to enable new rules
  #for the cipe interface
  ipchains -I input -i $device -j $device"i"
  ipchains -I output -i $device -j $device"o"
  ipchains -I forward -i $device -j $device"f"

  #--------------------------------------------------------------------------
  #Optional security enhancement - set built-in forward chain policy to
  #DENY or REJECT.  If your main forward chain default policy is DENY/REJECT
  #you will need to add the following rules to your main forward chain.  It
  #is a good idea to have all built-in chain default policies set for DENY or
  #REJECT.

  #define machine interfaces
  #localif="eth0"
  #staticif="eth1"                ;cable modem users
  #staticif="ppp0"                ;dialup users

  #a real sloppy way to get the peer ip address from the options file - a new
  #argument with peer ip:port passed to script would be nice.
  #both lines need to be uncommented
  #peerfile=`grep $device /etc/cipe/options.* | cut -f1 -d:`
  #peer=`grep peer $peerfile | cut -f1 -d: | awk '{print $2}'`

  #must log peer ip address for ip-down script
  #echo $peer > /var/run/$device.peerip

  #accept forwarding from localnet to remotenet on internal network interface
  #ipchains -I forward -j ACCEPT -i $localif -s $ipaddr/24 -d $ptpaddr/24
  #accept forwarding from remotenet to localnet on internal network interface
  #ipchains -I forward -j ACCEPT -i $localif -s $ptpaddr/24 -d $ipaddr/24
  #accept forwarding on staticif from me to peer
  #myaddr=`echo $me | cut -f1 -d:`
  #ipchains -I forward -j ACCEPT -i $staticif -s $myaddr -d $peer
  #--------------------------------------------------------------------------
  #Other optional security enhancement
  #block all incoming requests from everywhere to our cipe udp port
  #except our peer's udp port

  #need to determine udp ports for the cipe interfaces
  #get our udp port
  #if [ "$option" = "" ]; then
  #       myport=`echo $me | cut -f2 -d:`
  #else
  #       myport=$option
  #fi

  #get remote udp port -- peerfile variable must be set above
  #peerport=`grep peer $peerfile | cut -f2 -d:`

  #must log peer udp port for ip-down script
  #echo $peerport > /var/run/$device.peerport

  #get our ip address
  #myaddr=`echo $me | cut -f1 -d:`

  #deny and log all requests to cipe udp port must be inserted first
  #ipchains -I input -j DENY -p udp -i $staticif -s 0/0 \
  #-d $myaddr $myport $log
  #accept udp packets from peer at udp cipe port to my udp cipe port
  #ipchains -I input -j ACCEPT -p udp -i $staticif -s $peer $peerport \
  # -d $myaddr $myport

  #--------------------------------------------------------------------------
  # Set up spoofing protection in kernel as an additional security measure
  #--------------------------------------------------------------------------
  #Why do I have spoofing protection in the firewall rules in addition to
  #this script that sets up spoof protection for each interface in the
  #kernel? Guess I'm paranoid.

  if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
          echo -n "Setting up IP spoofing protection..."
          iface="/proc/sys/net/ipv4/conf/$device/rp_filter"
          echo 1 > $iface
          echo "done."
  else
          echo "Cannot setup spoof protection in kernel for $device" \
                  | mail -s"Security Warning: $device" root
          exit 1
  fi

  exit 0
  ______________________________________________________________________

  5.2.  /etc/cipe/ip-down

  5.2.1.  J[l 2.0, ipfwadm, cipe 1.0.x ̏ꍇ

  ______________________________________________________________________

  #!/bin/bash

  # ip-down <interface> <myaddr> <daemon-pid> <local> <remote> <arg>
  #3/29/1999
  #An example ip-down script for the older 1.x 2.x kernels using ipfwadm that
  #will remove firewall rules that were setup to connect your local class c
  #network to a remote class c network.

  #--------------------------------------------------------------------------
  #Set some script variables
  device=$1               # the CIPE interface
  me=$2                   # our UDP address
  pid=$3                  # the daemon's process ID
  ipaddr=$4               # IP address of our CIPE device
  ptpaddr=$5              # IP address of the remote CIPE device
  option=$6               # argument supplied via options

  PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"

  #comment/uncomment to enable/disbale kernel logging for all unauthorized
  #access attempts. Must be same as ip-down script in order to remove rules.
  log="-o"

  #--------------------------------------------------------------------------
  umask 022

  # just a logging example
  #echo "DOWN   $*" >> /var/adm/cipe.log

  # many systems like these pid files
  #rm -f /var/run/$device.pid

  #--------------------------------------------------------------------------
  #cipe interface incoming firewall rules

  #delete (deny all other incoming packets to cipe interface)
  ipfwadm -I -d deny -W $device -S 0/0 -D 0/0 $log

  #delete (accept incoming packets from remotenet to localnet on cipe
  #interface)
  ipfwadm -I -d accept -W $device -S $ptpaddr/24 -D $ipaddr/24

  #delete (accept incoming packets from localnet to remotenet on cipe
  #interface)
  ipfwadm -I -d accept -W $device -S $ipaddr/24 -D $ptpaddr/24

  #delete (deny incoming packets, cipe interface, claiming to be from
  #localnet and log)
  ipfwadm -I -d deny -W $device -S $ipaddr/24 -D $ipaddr/24 $log

  #--------------------------------------------------------------------------
  #cipe interface incoming firewall rules

  #delete (deny all other outgoing packets from cipe interface)
  ipfwadm -O -d deny -W $device -S 0/0 -D 0/0 $log

  #delete (accept outgoing from remotenet to localnet on cipe interface)
  ipfwadm -O -d accept -W $device -S $ptpaddr/24 -D $ipaddr/24

  #delete (accept outgoing from localnet to remotenet on cipe interface)
  ipfwadm -O -d accept -W $device -S $ipaddr/24 -D $ptpaddr/24

  #delete (deny outgoing to localnet from localnet, cipe interface, deny
  #and log)
  ipfwadm -O -d deny -W $device -S $ipaddr/24 -D $ipaddr/24 $log

  #--------------------------------------------------------------------------
  #cipe interface forwarding firewall rules

  #delete (deny all other forwarding through cipe interface; log)
  ipfwadm -F -d deny -W $device -S 0/0 -D 0/0 $log

  #delete (accept forwarding from remotenet to localnet on cipe interfaces)
  ipfwadm -F -d accept -W $device -S $ptpaddr/24 -D $ipaddr/24

  #delete (accept forwarding from localnet to remotenet on cipe interfaces)
  ipfwadm -F -d accept -W $device -S $ipaddr/24 -D $ptpaddr/24

  #--------------------------------------------------------------------------
  #Optional security enhancement - set default forward policy to
  #DENY or REJECT.  If your forwarding default policy is DENY/REJECT
  #you will need to add the following rules to your main forward chain.  It
  #is a good idea to have all default policies set for DENY or
  #REJECT.

  #define machine interfaces
  #localif="eth0"
  #staticif="eth1"                ;cable modem users
  #staticif="ppp0"                ;dialup users

  #a real sloppy way to get the peer ip address from the options file - a new
  #argument with peer ip:port passed to script would be nice.
  #both lines need to be uncommented
  #peerfile=`grep $device /etc/cipe/options.* | cut -f1 -d:`
  #peer=`grep peer $peerfile | cut -f1 -d: | awk '{print $2}'`

  #must log peer ip address for ip-down script
  #echo $peer > /var/run/$device.peerip

  #delete (accept forwarding from localnet to remotenet on internal network
  interface)
  #ipfwadm -F -d accept -W $localif -S $ipaddr/24 -D $ptpaddr/24
  #delete (accept forwarding from remotenet to localnet on internal network
  interface)
  #ipfwadm -F -d accept -W $localif -S $ptpaddr/24 -D $ipaddr/24
  #delete (accept forwarding on staticif from me to peer)
  #myaddr=`echo $me | cut -f1 -d:`
  #ipfwadm -F -d accept -W $staticif -S $myaddr -D $peer
  #--------------------------------------------------------------------------
  #Other optional security enhancement
  #block all incoming requests from everywhere to our cipe udp port
  #except our peer's udp port

  #need to determine udp ports for the cipe interfaces
  #get our udp port
  #if [ "$option" = "" ]; then
  #       myport=`echo $me | cut -f2 -d:`
  #else
  #       myport=$option
  #fi

  #get remote udp port -- peerfile variable must be set above
  #peerport=`grep peer $peerfile | cut -f2 -d:`

  #must log peer udp port for ip-down script
  #echo $peerport > /var/run/$device.peerport

  #get our ip address
  #myaddr=`echo $me | cut -f1 -d:`

  #delete (deny and log all requests to cipe udp port must be inserted first)
  #ipfwadm -I -d deny -P udp -W $staticif -S 0/0 -D $myaddr $myport $log
  #delete (accept udp packets from peer at udp cipe port to my udp cipe port)
  #ipfwadm -I -d accept -P udp -W $staticif -S $peer $peerport \
  #-D $myaddr $myport

  exit 0
  ______________________________________________________________________

  5.2.2.  J[l 2.1/2.2, ipchains, cipe 1.2.x ̏ꍇ

  ______________________________________________________________________

  #!/bin/sh
  # ip-down <interface> <myaddr> <daemon-pid> <local> <remote> <arg>
  #3/29/1999
  #An example ip-down script for the newer 2.1/2.2 kernels using ipchains
  #that will remove firewall rules that were setup to connect your local
  #class c network to a remote class c network.  Optional security
  #enhancement rules removal is also added and commented towards end of
  #script.
  #Send questions or comments to acj@home.com.

  #--------------------------------------------------------------------------
  #Set some script variables
  device=$1               # the CIPE interface
  me=$2                   # our UDP address
  pid=$3                  # the daemon's process ID
  ipaddr=$4               # IP address of our CIPE device
  ptpaddr=$5              # IP address of the remote CIPE device
  option=$6               # argument supplied via options
  PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"

  #comment/uncomment to enable/disbale kernel logging for all unauthorized
  #access attempts
  #must be same as ip-up script in order to remove rules
  log="-l"

  #--------------------------------------------------------------------------
  umask 022

  # Logging example
  #echo "DOWN $*" >> /var/adm/cipe.log

  # remove the daemon pid file
  #rm -f /var/run/$device.pid

  #--------------------------------------------------------------------------
  #remove rules from main input, output, and forward chains for cipe
  #interface
  ipchains -D input -i $device -j $device"i"
  ipchains -D output -i $device -j $device"o"
  ipchains -D forward -i $device -j $device"f"

  #--------------------------------------------------------------------------
  #flush all rules in cipe interface input chain
  ipchains -F $device"i"
  #remove cipe interface input chain
  ipchains -X $device"i"

  #--------------------------------------------------------------------------
  #flush all rules in cipe interface output chain
  ipchains -F $device"o"
  #remove cipe interface output chain
  ipchains -X $device"o"

  #--------------------------------------------------------------------------
  #flush all rules in cipe interface forward chain
  ipchains -F $device"f"
  #remove cipe interface forward chain
  ipchains -X $device"f"

  #--------------------------------------------------------------------------
  #Remove optional security enhancement rules

  #get peer ip address
  #peer=`cat /var/run/$device.peerip`
  #define machine interfaces
  #localif="eth0"
  #staticif="eth1"                ;cable modem users
  #staticif="ppp0"                ;dialup users

  #get our ip address
  #myaddr=`echo $me |cut -f1 -d:`

  #delete (accept forwarding from localnet to remotenet on internal network
  #interface)
  #ipchains -D forward -j ACCEPT -i $localif -s $ipaddr/24 -d $ptpaddr/24
  #delete (accept forwarding from remotenet to localnet on internal network
  #interface)
  #ipchains -D forward -j ACCEPT -i $localif -s $ptpaddr/24 -d $ipaddr/24
  #delete (accept forwarding on staticif from me to peer)
  #ipchains -D forward -j ACCEPT -i $staticif -s $myaddr -d $peer

  #remove peer ip file
  #rm /var/run/$device.peerip

  #--------------------------------------------------------------------------
  #Remove other optional security enhancement rules

  #get peer udp port
  #peerport=`cat /var/run/$device.peerport`

  #get our udp port
  #if [ "$option" = "" ]; then
  #        myport=`echo $me | cut -f2 -d:`
  #else
  #        myport=$option
  #fi

  #delete (deny and log all requests to cipe udp port must be inserted first)
  #ipchains -D input -j DENY -p udp -i $staticif -s 0/0 \
  #-d $myaddr $myport $log
  #delete (accept udp packets from peer at udp cipe port to my udp cipe port)
  #ipchains -D input -j ACCEPT -p udp -i $staticif -s $peer $peerport \
  #-d $myaddr $myport

  #remove peer port file
  #rm /var/run/$device.peerport

  #--------------------------------------------------------------------------

  exit 0
  ______________________________________________________________________

  6.  }XJ[fBOɂt@CA[EH[ XNvg̗

  6.1.  J[l 2.0, ipfwadm ̏ꍇ

  ______________________________________________________________________

  #!/bin/sh
  #04/04/1999
  #example rc.firewall script for the 2.0 kernels using ipfwadm
  #I cant take full credit for this script.  I had found it a few
  #years ago and made slight modifications.
  #Send questions or comments to acj@home.com.

  #---------------------------------------------------------------------
  #Variables
  #---------------------------------------------------------------------

  #local ethernet interface
  localip=
  localif=eth0

  #static ethernet interface
  staticip=
  staticif=eth1

  PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"

  #---------------------------------------------------------------------
  #Incoming Firewall Policies
  #---------------------------------------------------------------------
  #flush incoming firewall policies
  /sbin/ipfwadm -I -f

  #set incoming firewall policy default to deny
  /sbin/ipfwadm -I -p deny

  #---------------------------------------------------------------------

  #local interface, local machines, going anywhere is valid
  /sbin/ipfwadm -I -a accept -V $localip -S $localip/24 -D 0.0.0.0/0
  #remote interface, claiming to be local machines (IP spoofing) deny and log
  /sbin/ipfwadm -I -a deny -V $staticip -S $localip/24 -D 0.0.0.0/0 -o
  #remote interface, any source, going to staticip address is valid
  /sbin/ipfwadm -I -a accept -V $staticip -S 0.0.0.0/0 -D $staticip/32
  #loopback interface is valid
  /sbin/ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
  #all other incoming is denied and logged
  /sbin/ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o

  #---------------------------------------------------------------------
  #Outgoing Firewall Policies
  #---------------------------------------------------------------------

  #flush outgoing firewall policies
  /sbin/ipfwadm -O -f

  #set outgoing firewall policy default to deny
  /sbin/ipfwadm -O -p deny

  #---------------------------------------------------------------------

  #local interface, any source going to local net is valid
  /sbin/ipfwadm -O -a accept -V $localip -S 0.0.0.0/0 -D $localip/24
  #outgoing to localnet on static interface, stuffed routing, deny
  /sbin/ipfwadm -O -a deny -V $staticip -S 0.0.0.0/0 -D $localip/24 -o
  #outgoing from localnet on static interface, stuffed masquerading, deny
  /sbin/ipfwadm -O -a deny -V $staticip -S $localip/24 -D 0.0.0.0/0 -o
  #outgoing to localnet on static interface, stuffed masquerading, deny
  /sbin/ipfwadm -O -a deny -V $staticip -S 0.0.0.0/0 -D $localip/24 -o
  #anything else outgoing on remote interface is valid
  /sbin/ipfwadm -O -a accept -V $staticip -S $staticip/32 -D 0.0.0.0/0
  #loopback interface is valid
  /sbin/ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
  #all other outgoing is denied and logged
  /sbin/ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o

  #--------------------------------------------------------------------------
  #Forwarding firewall policies
  #--------------------------------------------------------------------------

  #flush forwarding policies
  /sbin/ipfwadm -F -f

  #set forwarding policy default to deny
  /sbin/ipfwadm -F -p deny

  #masquerade from localnet on local interface to anywhere
  /sbin/ipfwadm -F -a masquerade -W $staticif -S $localip/24 -D 0.0.0.0/0
  #all other forwarding is denied
  /sbin/ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0

  exit 0
  ______________________________________________________________________

  6.2.  J[l 2.1/2.2, ipchains ̏ꍇ

  ______________________________________________________________________

  #!/bin/sh
  #04/04/1999
  #example rc.firewall script for the newer 2.1/2.2 kernels using ipchains
  #that creates user defined chains for each interface.  There are firewall
  #rules for spoofing protection which may be unnecessary since the newer
  #kernels can have kernel spoofing protection enabled.  You might say it's
  #super paranoid checking.
  #Send questions or comments to acj@home.com.

  #---------------------------------------------------------------------
  #Variables
  #---------------------------------------------------------------------

  #local ethernet interface
  localip=
  localif=eth0

  #static ethernet interface
  staticip=
  staticif=eth1

  #loopback interface
  loopback=lo

  PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"

  #---------------------------------------------------------------------
  #Flush built-in input, output, and forward ipchains; set default policy
  #Good policy to deny all packets especially while setting up chains
  #---------------------------------------------------------------------

  #set incoming firewall policy default to deny
  ipchains -P input DENY

  #flush incoming firewall policies
  ipchains -F input

  #---------------------------------------------------------------------

  #set outgoing firewall policy default to deny
  ipchains -P output DENY

  #flush outgoing firewall policies
  ipchains -F output

  #---------------------------------------------------------------------

  #set forwarding firewall policy default to deny
  ipchains -P forward DENY

  #flush forwarding firewall policies
  ipchains -F forward

  #---------------------------------------------------------------------
  #flush all policies  -redundant for main policies, but also flushes user
  #defined policies
  #ipchains -F

  #remove all user defined policies - you may or may not want to enable this
  #ipchains -X

  #---------------------------------------------------------------------
  #Incoming Firewall Policies
  #---------------------------------------------------------------------
  #create new input chain for static ethernet interface
  ipchains -N $staticif"-i"

  #flush all rules in chain (sanity flush)
  ipchains -F $staticif"-i"

  #block incoming tcp SYN packets to all ports on staticif and log
  #this may be a little harsh but its a nice feature
  #ipchains -A $staticif"-i" -j DENY -p tcp -y -i $staticif -s 0/0 \
  #-d $staticip : -l

  #remote interface, claiming to be local machines (IP spoofing) deny and log
  ipchains -A $staticif"-i" -j DENY -i $staticif -s $localip/16 -d 0/0 -l

  #remote interface, any source, going to staticip address is valid
  ipchains -A $staticif"-i" -j ACCEPT -i $staticif -s 0/0 -d $staticip/32

  #all other incoming is denied and logged
  ipchains -A $staticif"-i" -j DENY -s 0/0 -d 0/0 -l

  #---------------------------------------------------------------------

  #create new input chain for local ethernet interface
  ipchains -N $localif"-i"

  #flush all rules in chain (sanity flush)
  ipchains -F $localif"-i"

  #local interface, local machines, going anywhere is valid
  ipchains -A $localif"-i" -j ACCEPT -i $localif -s $localip/24 -d 0/0

  #all other incoming is denied and logged
  ipchains -A $localif"-i" -j DENY -s 0/0 -d 0/0 -l

  #---------------------------------------------------------------------

  #create new input chain for loopback interface
  ipchains -N $loopback"-i"

  #flush all rules in chain (sanity flush)
  ipchains -F $loopback"-i"

  #loopback interface is valid
  ipchains -A $loopback"-i" -j ACCEPT -i $loopback -s 0/0 -d 0/0

  #all other incoming is denied and logged
  ipchains -A $loopback"-i" -j DENY -s 0/0 -d 0/0 -l

  #--------------------------------------------------------------------------
  #Forwarding firewall policies
  #--------------------------------------------------------------------------

  #create new forward chain for static ethernet interface
  ipchains -N $staticif"-f"

  #flush all rules in chain (sanity flush)
  ipchains -F $staticif"-f"

  #masquerade from localnet on static interface to anywhere
  ipchains -A $staticif"-f" -j MASQ -i $staticif -s $localip/24 -d 0/0

  #all other forwarding is denied and logged
  ipchains -A $staticif"-f" -j DENY -s 0/0 -d 0/0 -l

  #---------------------------------------------------------------------

  #create new forward chain for local ethernet interface
  ipchains -N $localif"-f"

  #flush all rules in chain (sanity flush)
  ipchains -F $localif"-f"

  #all other forwarding is denied and logged
  ipchains -A $localif"-f" -j DENY -s 0/0 -d 0/0 -l

  #---------------------------------------------------------------------

  #create new forward chain for loopback interface
  ipchains -N $loopback"-f"

  #flush all rules in chain (sanity flush)
  ipchains -F $loopback"-f"

  #all other forwarding is denied and logged
  ipchains -A $loopback"-f" -j DENY -s 0/0 -d 0/0 -l

  #---------------------------------------------------------------------
  #Outgoing Firewall Policies
  #---------------------------------------------------------------------

  #create new output chain for static ethernet interface
  ipchains -N $staticif"-o"

  #flush all rules in chain (sanity flush)
  ipchains -F $staticif"-o"

  #outgoing to localnet on remote interface(stuffed routing) deny & log
  ipchains -A $staticif"-o" -j DENY -i $staticif -s 0/0 -d $localip/24 -l

  #outgoing from local net on remote interface, stuffed masquerading, deny
  ipchains -A $staticif"-o" -j DENY -i $staticif -s $localip/24 -d 0/0 -l

  #anything else outgoing on remote interface is valid
  ipchains -A $staticif"-o" -j ACCEPT -i $staticif -s $staticip/32 -d 0/0

  #all other outgoing is denied and logged
  ipchains -A $staticif"-o" -j DENY -s 0/0 -d 0/0 -l

  #---------------------------------------------------------------------

  #create new output chain for local ethernet interface
  ipchains -N $localif"-o"

  #flush all rules in chain (sanity flush)
  ipchains -F $localif"-o"

  #local interface, any source going to local net is valid
  ipchains -A $localif"-o" -j ACCEPT -i $localif -s 0/0 -d $localip/24

  #all other outgoing is denied and logged
  ipchains -A $localif"-o" -j DENY -s 0/0 -d 0/0 -l

  #---------------------------------------------------------------------

  #create new output chain for loopback interface
  ipchains -N $loopback"-o"

  #flush all rules in chain (sanity flush)
  ipchains -F $loopback"-o"

  #loopback interface is valid
  ipchains -A $loopback"-o" -j ACCEPT -i $loopback -s 0/0 -d 0/0
  #all other outgoing is denied and logged
  ipchains -A $loopback"-o" -j DENY -s 0/0 -d 0/0 -l

  #--------------------------------------------------------------------------
  #make sure forwarding is enabled in the kernel
  #--------------------------------------------------------------------------

  /bin/echo 1 > /proc/sys/net/ipv4/ip_forward

  #--------------------------------------------------------------------------
  #Add pointers to built-in chains to enable user defined chains
  #change the order in each chain to optimize filtering for an interface
  #--------------------------------------------------------------------------

  #add local interface input chain
  ipchains -A input -i $localif -j $localif"-i"

  #add static interface input chain
  ipchains -A input -i $staticif -j $staticif"-i"

  #add loopback interface input chain
  ipchains -A input -i $loopback -j $loopback"-i"

  #-------------------------------------------------------------------------

  #add local interface output chain
  ipchains -A output -i $localif -j $localif"-o"

  #add static interface output chain
  ipchains -A output -i $staticif -j $staticif"-o"

  #add loopback interface output chain
  ipchains -A output -i $loopback -j $loopback"-o"

  #-------------------------------------------------------------------------

  #add local interface forward chain
  ipchains -A forward -i $localif -j $localif"-f"

  #add static interface forward chain
  ipchains -A forward -i $staticif -j $staticif"-f"

  #add loopback interface forward chain
  ipchains -A forward -i $loopback -j $loopback"-f"

  #---------------------------------------------------------------------
  #Super Paranoid check --- even though default policy is set for deny,
  #block all packets on any interface
  #---------------------------------------------------------------------

  #all other incoming is denied and logged
  ipchains -A input -j DENY -s 0/0 -d 0/0 -l

  #all other output is denied and logged
  ipchains -A output -j DENY -s 0/0 -d 0/0 -l

  #all other forwarding is denied and logged
  ipchains -A forward -j DENY -s 0/0 -d 0/0 -l

  exit 0
  ______________________________________________________________________

  7.  SĂ̋@\Lɂ

  ̓VXeu[gɑSẴT[rXN rc.local XN
  vg̗łBJ[l 2.2 𗘗pĂ΁AXv[tBOh@\
  t܂B}XJ[fBOɂt@CA[EH[̃|V
  肵āAcipe ̃C^[tF[XN܂B

       ______________________________________________________________________

       #!/bin/bash
       #4/4/99
       #an example rc.local script
       #Send questions or comments to acj@home.com

       echo

       #Set up spoof protection in kernel -- from IPChains HOWTO by Paul Russell

       #this is only for the newer 2.1/2.2 kernels

       #if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
       #   echo -n "Setting up IP spoofing protection..."
       #   for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
       #       echo 1 > $f
       #   done
       #   echo "done."
       #else
       #   echo PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED.
       #   echo "CONTROL-D will exit from this shell and continue system startup."
       #   echo
       #   # Start a single user shell on the console
       #   /sbin/sulogin $CONSOLE
       #fi

       echo

       #Setup firewall policies
       if [ -x /etc/rc.d/rc.firewall ]; then
               echo Setting up firewall packet filtering policies.
               echo
               . /etc/rc.d/rc.firewall
       fi

       #Start cipe interfaces
       if [ -x /etc/rc.d/rc.cipe ]; then
               echo Starting VPN interfaces.
               . /etc/rc.d/rc.cipe
       fi

       exit 0
       ______________________________________________________________________

  8.  WAN ւ̐ڑ

   cipe ̃C^[tF[XLɂȂA܂@\͂łB
  ̃lbg[N ping Ă݂ĂB ping ܂Ȃ
  At@CA[EH[ }VŎ̍ڂ`FbNĂB

  o  J[lŃtH[fBOLɂȂĂ邩B

  o  cipe C^[tF[XAbvĂ邩 ifconfig Ă݂B

       cipcb0  Link encap:IPIP Tunnel  HWaddr
               inet addr:192.168.1.1  P-t-P:192.168.2.1  Mask:255.255.255.255
               UP POINTOPOINT NOTRAILERS RUNNING NOARP  MTU:1442  Metric:1
               RX packets:28163 errors:6 dropped:0 overruns:0 frame:6
               TX packets:29325 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:100

  o  zXg̃[eBOEe[uɑ cipe zXg cipe ̃C^[
     tF[XڂĂ邩B

       192.168.2.1    *      255.255.255.255 UH    0   0        0 cipcb0

  o  [eBOEe[uɑ cipe ̃C^[tF[X̃lbg[N
     ڂĂ邩B

       192.168.2.0    *      255.255.255.0   U     0   0        0  cipcb0

  o  O t@CɃG[bZ[W͂ȂB

  t@CA[EH[̓ LAN ɂ鑼̃}V瑼̃t@CA[EH
  [̓ LAN ɂ}VɃANZXłȂꍇ́Ã}V
  Q[gEGCݒ肳Ă邩`FbNĂB

  ping  ftpAtelnetȂ̃lbg[Ñ}Vɂł悤
  ȂA SAMBA 𗘗pđ݂ɃuEWOANZXł邩
  Ă݂ĂBƂqgo܂Blmhosts  wins T[
  oƐM֌Wɂ NT ̃hCKvƂȂ܂B̊ł͂܂
  ܂B SAMBA ɂĂȏqׂ邱Ƃ́ÃhLg
  ̖ړIł͂Ȃ̂Ŋ܂ (ȂƂ̎_ł)B

   }XJ[fBOgt@CA[EH[̃TṽXNv
  ggĂȂASẴ}VŃC^[lbg𗘗pł͂łB
  łĂȂȂAOt@C`FbNł傤B܂
  tcpdump gĂǂȃpPbg肳Ă邩Ă݂̂
  v܂B

  9.  Ql

  9.1.  EGbuETCg

  Cipe Home Page <http://sites.inka.de/~bigred/devel/cipe.html>

  Masq Home Page <http://ipmasq.cjb.net>

  Samba Home Page <http://samba.anu.edu.au>

  Linux HQ <http://www.linuxhq.com>  ---great site for lots of linux
  info

  9.2.  hLg

  cipe.info: cipe ɕt info t@C

  Firewall HOWTO, Mark Grennan , markg@netplus.net

  IP Masquerade mini-HOWTO, Ambrose Au , ambrose@writeme.com

  IPChains-Howto, Paul Russell , Paul.Russell@rustcorp.com.au

