Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By


6. Routing

Piercing the firewall is not everything. You must also route the packets from the client side of the firewall to the server side. This section tackles the basic settings specific about routing accross a tunnel. For more detailed explanations of routing, see the relevant HOWTOs and man pages about networking, routing and masquerading.

6.1. The catch

The catch is that although your network administration would tell you to setup your some router on your client side's as the default route, (this may be relevant if you want to have a specific route to the networks on the client of the firewall), you should setup PPP link as the route to the networks on the server side.

In other words, your default route should point to a router on whichever side of the tunnel that gives you access to the Internet.

Most importantly, packets sent to the server host as part of running the tunnel should be routed through your usual network (e.g. your default ethernet router); otherwise, your kernel will have problems, as it tries to route through the inside the tunnel the very packets that ought to constitute the outside of the tunnel.

Thus, you'll have to setup correct routes in your network startup configuration. The precise location of your routing configuration data depends on your distribution, but it is typically under /etc/init.d/network or /etc/network/; similarly, your PPP configuration is typically in /etc/ppp/, and the proper place to configure its routes is usually in ip-up or ip-up.d/. (Tip: to identify your distribution-specific file locations, you must read the documentation of your distribution and otherwise RTFM; alternatively use grep recursively on your /etc; at worst, trace what happens at boot time, as configured in your /etc/inittab.)

When piercing a tunnel from a roaming laptop on the Internet into a protected network, the script (available from the fwprc distribution) gives the current route to the server host that is the other end of the tunnel.

Once you can route packets to the server side of the tunnel, you might want to setup your machine as a router for all your pals on the client side of the firewall, achieving a full-fledged shared VPN. This is not specific to Firewall-Piercing, so just you read the relevant HOWTOs about networking, routing and masquerading. Also, for security reasons, be sure to also setup a proper firewall on your machine, especially if you're going to be a router for other people.

Finally, be reminded that if you're using pppd on the server end of the tunnel (as opposed to user-mode slirp), you will have to configure proper routes and firewall rules on the server side of the tunnel, too.

6.2. Example of routing

In this example, your client machine is connected to a firewalled LAN through ethernet device eth0. Its IP address is; its network is; its router is

Your network administrator may have told you to use as default router, but you shouldn't. You should only use it as a route to the client side of the firewall.

Let's suppose the client side of your firewall is made of networks and, and of host To make them accessible through your client router, add these routes to your global network startup script:

route add -net netmask gw
route add -net netmask gw
route add -host gw
You must also keep the route to the client's local network, necessary for linux kernel 2.0 and earlier, but but unnecessary for linux kernel 2.2 and later (that implicitly adds it during the ifconfig):
route add -net netmask dev eth0
On the other hand, you must remove any default route from your scripts. Delete or comment away a line like:
route add default gw
Note that it is also possible to remove the route from the running kernel configuration without rebooting, by the following command:
route del default gw
Then you can have pppd setup a default route automatically when it starts by using its defaultroute option. Alternatively, you can add it afterwards:
route add default gw
If you don't want pppd as a default route, because the Internet access is available on your side of the firewall, and if you instead want network to be routed through the tunnel, except from host that serves as the other end of the tunnel, then add the following lines to your /etc/ppp/ip-up:
route add -host gw
route add -net netmask gw
If you're a laptop and your current LAN moves, and yet you want to keep your current route to, whatever it be, then use as follows to automatically find the right gateway in the route add -host command:
Note that if you have them in your /etc/hosts, you might use symbolic names instead of numerical IP addresses (and you might even use FQDN's, if you trust the DNS never to fail).



Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
FBI Quietly Removes Recommendation To Encrypt Your Phone
And the prize for LEAST SECURE BROWSER goes to ... Chrome!
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.