Piercing the firewall is not everything. You must also route the packets from this side of the firewall to the other. This section tackles the basic settings specific about routing accross a tunnel. For more detailed explanations of routing, see the relevant HOWTOs and man pages about networking, routing and masquerading.
The main point is that although your network administration would tell you to setup your local router as the default route, you might want to have it but a specific route to the networks within your side or the firewall, whereas the other end of your PPP link should be the router for the networks on the other side. Your default route should point to a router on whichever side gives you access to the Internet. Most importantly, all machines involved in routing packets to the other end of the tunnel should be routed through your usual network (i.e. ethernet), for your kernel will have problems if it tries to route through the tunnel the packets to the remote host that precisely serves as end-point for the tunnel.
So you'll have to setup proper routes in your network startup configuration
like /etc/init.d/network or /etc/network/,
as well as your PPP startup configuration in /etc/ppp/ip-up
or /etc/ppp/ip-up.d/ or wherever your distribution puts them.
To identify your distribution-specific file locations,
RTFM the docs of your distribution,
use grep recursively on your /etc,
and if all else fails, trace the boot behaviour of your computer
from /sbin/init.
Also, when piercing a tunnel from a roaming laptop on the Internet
into a protected network, I used to use from within my ip-up
the script getroute.pl
(available from the fwprc distribution)
that gives me the current route for the host on the other end of the tunnel.
Once you can route packets to the other side of the tunnel, you might want to setup your machine as a router for all your pals on your site of the firewall, achieving a full-fledged shared VPN. This is not specific to Firewall-Piercing, so just you read the relevant HOWTOs about networking, routing and masquerading. Also, for security reasons, be sure to also setup a proper firewall on your machine, especially if you're going to be a router for other people.
Finally, be reminded that if you're using pppd
on the other end of the tunnel (as opposed to user-mode slirp),
you will have to configure proper routes and firewall rules
on the other side of the tunnel, too.
Let's consider an example. In your case, of course, you'll have to adapt the IP numbers, and insert the commands in the right place, which depends on your distribution.
For instance, imagine your machine is on the ethernet eth0 with IP address is 12.34.56.78 on network 12.24.56.0/24, router 12.34.56.1. Your network administrator will have told you to use 12.34.56.1 as default router. But you shouldn't, as you should only use it to route on your side of the firewall. Imagine you have networks 12.34.0.0/16 and 12.13.0.0/16 and host 11.22.33.44 accessible through your router on your side of the firewall. Then you'll add these routes to your startup script:
route add -net 12.34.0.0 netmask 255.255.0.0 gw 12.34.56.1 route add -net 12.13.0.0 netmask 255.255.0.0 gw 12.34.56.1 route add -host 11.22.33.44 gw 12.34.56.1You must also keep the route to the local network, necessary for linux kernel 2.0 and earlier, but implicitly added by ifconfig on 2.2 and later:
route add -net 12.34.56.0 netmask 255.255.255.0 dev eth0On the other hand, you must remove any default route from your scripts:
route add default gw 12.34.56.1If the default route has already been set, you can remove it as is:
route del default gw 12.34.56.1Then you can have
pppd setup a default route automatically
when it starts by using its defaultroute option.
Or you can add it after the fact with:
route add default gw 10.0.2.2If you don't want
pppd as a default route,
because the Internet is on your side of the firewall,
and instead want network 98.76.0.0/20 to be routed through the tunnel,
except from host 98.76.54.20 that serves as the other end of the tunnel,
then have this executed from your /etc/ppp/ip-up:
route add -host 98.76.54.32 gw 12.34.56.1 route add -net 98.76.0.0 netmask 255.255.240.0 gw 10.0.2.2If you're a laptop and your current LAN moves, and yet you want to keep your current route to 98.76.54.32, whatever it be, then use
getroute.pl as follows to automatically find
the right gateway in the route add -host command:
$(getroute.pl 98.76.54.32)Note that if you have them in your
/etc/hosts,
you might use symbolic names instead of numerical IP addresses
(and you might even use FQDN's, if you trust the DNS never to fail).