6.6. Configuring Clients for CIPE

After successfully configuring the CIPE server and testing for functionality, you can now deploy the connection on the client machine.

The CIPE client should be able to connect and disconnect the CIPE connection in an automated way. Therefore, CIPE contains built-in mechanisms to customize settings for individual uses. For example, a remote employee can connect to the CIPE device on the LAN by typing the following:

/sbin/ifup cipcb0

The device should automatically come up; firewall rules and routing information should also be configured along with the connection. The remote employee should be able to terminate the connection with the following:

/sbin/ifdown cipcb0

Configuring clients requires the creation of localized scripts that are run after the device has loaded. The device configuration itself can be configured locally via a user-created file called /etc/sysconfig/network-scripts/ifcfg-cipcb0. This file contains parameters that determine whether the CIPE connection occurs at boot-time, what the name of the CIPE device is, and more. The following is the ifcfg-cipcb0 file for a remote client connecting to the CIPE server:

DEVICE=cipcb0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no

# This is the device for which we add a host route to our CIPE peer through.
# You may hard code this, but if left blank, we will try to guess from
# the routing table in the /etc/cipe/ip-up.local file.
PEERROUTEDEV=

# We need to use internal DNS when connected via cipe. 
DNS=192.168.1.254

The CIPE device is named cipcb0. The CIPE device is activated at boot-time (configured via the ONBOOT field) and does not use a boot protocol (for example, DHCP) to receive an IP address for the device. The PEERROUTEDEV field determines the CIPE server device name that connects to the client. If no device is specified in this field, one is determined after the device has been loaded.

If the internal networks are behind a firewall, set rules to allow the CIPE interface on the client machine to send and receive UDP packets. Refer to Chapter 7 Firewalls for information on configuring a firewall. For this example configuration, iptables rules are implemented.

NoteNote
 

Clients should be configured such that all localized parameters are placed in a user-created file called /etc/cipe/ip-up.local. The local parameters should be reverted when the CIPE session is shut down using /etc/cipe/ip-down.local.

Firewalls should be configured on client machines to accept the CIPE UDP encapsulated packets. Rules may vary widely, but the basic acceptance of UDP packets is required for CIPE connectivity. The following iptables rules allow UDP CIPE transmissions on the remote client machine connecting to the LAN; the final rule adds IP Masquerading to allow the remote client to communicate to the LAN and the Internet:

/sbin/modprobe iptables
/sbin/service iptables stop
/sbin/iptables -P INPUT DROP
/sbin/iptables -F INPUT
/sbin/iptables -A INPUT -j ACCEPT -p udp -s 10.0.1.1
/sbin/iptables -A INPUT -j ACCEPT -i cipcb0
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

Add routing rules to the client machine to access the nodes behind the CIPE connection as if they were on the local network. This can be done by running the route command. In this example, the client workstation needs to have the following network route:

route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.1.2

The following shows the final /etc/cipe/ip-up.local script for the client workstation:

#!/bin/bash -v
if [ -f /etc/sysconfig/network-scripts/ifcfg-$1 ] ; then
        . /etc/sysconfig/network-scripts/ifcfg-$1
else
        cat <<EOT | logger
Cannot find config file ifcfg-$1. Exiting.
EOF
        exit 1
fi

if [ -n ${PEERROUTEDEV} ]; then
        cat <<EOT | logger
Cannot find a default route to send cipe packets through!
Punting and hoping for the best.
EOT
        # Use routing table to determine peer gateway
        export PEERROUTEDEV=`/sbin/route -n | grep ^0.0.0.0 | head -n 1 \
           | awk '{ print $NF }'`

fi

####################################################
# Add The routes for the remote local area network #
####################################################

route add -host 10.0.1.2 dev $PEERROUTEDEV
route add -net 192.168.1.0 netmask 255.255.255.0 dev $1

####################################################
# IP TABLES Rules to restrict traffic              #
####################################################

/sbin/modprobe iptables
/sbin/service iptables stop
/sbin/iptables -P INPUT DROP
/sbin/iptables -F INPUT
/sbin/iptables -A INPUT -j ACCEPT -p udp -s 10.0.1.2
/sbin/iptables -A INPUT -j ACCEPT -i $1
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE