Solve the DDOS problem of R9 VPNserver

Article title: Solving the DDOS problem of R9 VPNserver. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
　　 1. Introduction
It solves the problem that an error exists in the processing exception of CIPE, which can cause a denial-of-service attack. If the application receives
To a smaller package than it can process the smallest CIPE package, it can cause the system to crash and stop subsequent processing.
　　
Running CIPE at the kernel level can cause system crash or untested data loss.
This is Linux Cipe + Masquerading mini-HOWTO. this article explains how to use cipe to establish a Virtual Private Network (Virtual Private Network) between your LAN and other candle networks through the linux masquerading firewall host ).
　　
1.1. copyright notice
　　
(C) opyright 1998 Anthony Ciaravalo, acj@home.com
　　
Unless otherwise stated, the copyright of the Linux HOWTO file is owned by the original author. As long as copyright protection is guaranteed, Linux HOWTO files can be completely or partially copied and distributed in any electronic or physical media. Commercial conversion is allowed or even encouraged, provided that the original author is informed.
　　
All files originating from Linux HOWTO (including translation, adaptation, and consolidation) must contain this copyright statement. That is to say, no one can add other restrictions on the distribution of files. Special cases are allowed unless in certain circumstances. for details, contact Linux HOWTO coordinator.
　　
If you have any questions, please contact Linux HOWTO coordinator Greg Hankins. you can query (finger) this account to get a contact number or email address.
　　
1.2 Statement of liability
　　
Examples or information used in this document must be at your own risk. Many security issues may arise when you connect to the network over the Internet. Even if your message is encrypted, incorrect firewall settings still cause security cracks. You must be cautious about the cipe connection. However, the security of 100% is still not guaranteed. The author does not guarantee that the information provided in this document also provides a secure network environment.
　　
1.3. return on use
　　
If you have any questions, suggestions, corrections, or comments, please write to your acj@home.net.
　　
1.4. latest version of this file
　　
The new version of the file will be published to the cipe mailing list and emailed to Linux HOWTO coordinator and archive to Linux HOWTO.
　　
1.5 obtain documents
　　
This document is intended for cipe. You can get from http://sites.inka.de /~ Bigred/sw/cipe-1.6.0.tar.gz to get the file.
　　
　　 2. machine settings
2.1 Firewall settings
　　
This document assumes that your kernel has been set to support IP masquerade and has been properly configured with firewall. This article does not explain how to set masquerading firewall. Instead, it only describes the example of setting rules to show how to make the cipe work normally when using masquerading firewall. You can find how to set the linux IP address masquerade firewall in the reference file.
　　
2.2. The Star/Hub settings
　　
This setting uses the star/hub Architecture. Therefore, machine B and C cannot be connected if machine A stops working. You can consider adding a cipe connection between machine B and C to solve this problem. When you connect many networks together, the crisis begins to exist. This document only describes the example of setting star/hub.
　　
Machine
Eth0: 10.10.1.1
Eth1: real ip 1
/
Machine B Machine C
Eth0: 10.10.2.1 eth0: 10.10.3.1
Eth1: real ip 2 eth1: real ip 3
2.3. Glossary reference
　　
Eth0 is a local network (fake address)
Eth1 is internet address (real address)
　　
Port A is A valid communication Port that you can select.
Port B is a valid communication Port for any other users.
　　
Key A is A valid key that you can select (read the cipe file for details)
Key B is a valid key that you can select
　　
2.4. Machine A settings
　　
2.4a./etc/cipe/ip-up
　　
# A trimmed down version of the sample ip-up that comes with
Distribution
#! /Bin/sh
Umask 022
PATH =/sbin:/bin:/usr/sbin:/usr/bin
Echo "UP $ *">/tmp/cipe
Echo $3>/var/run/$ 1.pid
# The author tends to create different files when setting the routing, as detailed below.
2.4b./etc/cipe/options. machineB
　　
# Device domain name
Device cip3b0
# The peers internal (fake) ip address
Ptpaddr 10.10.2.1
# My cipe (fake) ip address
Ipaddr 10.10.1.1
# My real ip address and cipe port
Me (real ip 1) :( port)
# The peers ip address and cipe port
Peer (real ip 2) :( port)
#128-bit encryption key, which should be kept confidential
Key (Key)
2.4c./etc/cipe/options. machineC
　　
# Device domain name
Device cip3b1
# The peers internal (fake) ip address
Ptpaddr 10.10.3.1
# My cipe (fake) ip address
Ipaddr 10.10.1.1
# My real ip address and cipe port
Me (real ip 1) :( port B)
# The peers ip address and cipe port
Peer (real ip 3) :( port B)
#128-bit encryption key, which should be kept confidential
Key (Key B)
2.4d./etc/cipe/setroute
　　
#! /Bin/sh
# Set the routing table file
# Set the routing table of Machine B
/Sbin/route add-host 10.10.2.1 dev cip3b0
/Sbin/route add-net 10.10.2.0 netmask 255.255.255.0 gw 10.10.2.1
# Set the routing table of Machine C
/Sbin/route add-host 10.10.3.1 dev cip3b1
/Sbin/route add-net 10.10.3.0 netmask 255.255.255.0 gw 10.10.3.1
2.4e./etc/rc. d/rc. local
　　
Echo processing ing VPN network
/Usr/local/sbin/ciped-o/etc/cipe/options. machineB
/Usr/local/sbin/ciped-o/etc/cipe/options. machineC
/Etc/cipe/setroute
　　
2.4f. Firewall rules
　　
# Remove all incoming firewall rules and set the default value to deny
/Sbin/ipfwadm-I-f
/Sbin/ipfwadm-I-p deny
# Allow all new packages to be sent to your network via cipe links
/Sbin/ipfwadm-I-a accept-W cip3b0-S 10.10.0.0/16-D 10.10.0.0/16
/Sbin/ipfwadm-I-a accept-W cip3b1-S 10.10.0.0/16-D 10.10.0.0/16
# You can add additional packet entry rules
　　
# Remove all outgoing firewall rules and set the default value to deny
/Sbin/ipfwadm-O-f
/Sbin/ipfwadm-O-p deny
# Allow all sent packets (packets) to be sent to other networks via cipe links
/Sbin/ipfwadm-O-a accept-W cip3b0-S 10.10.0.0/16-D 10.10.0.0/16
/Sbin/ipfwadm-O-a accept-W cip3b1-S 10.10.0.0/16-D 10.10.0.0/16
# You can add additional packet sending rules
　　
# Remove All forwarding firewall rules and set the default value to deny
/Sbin/ipfwadm-F-f
/Sbin/ipfwadm-F-p deny
# Allow all forwarded packets (packets) to be sent to other networks via cipe links
/Sbin/ipfwadm-F-a accept-W cip3b0-S 10.10.0.0/16-D 10.10.0.0/16
/Sbin/ipfwadm-F-a accept-W cip3b1-S 10.10.0.0/16-D 10.10.0.0/16
# Allow forward from the real ip address of this machine to the real ip address of other machines
/Sbin/ipfwadm-F-a accept-W eth1-S (real ip 1)-D (real ip 2)
/Sbin/ipfwadm-F-a accept-W eth1-S (real ip 1)-D (real ip 3)
# Allow transfer to another network via local interface (fake ip address)
/Sbin/ipfwadm-F-a accept-W eth0-S 10.10.0.0/16-D 10.10.0.0/16
# You can add additional packet forwarding rules
2.4g. Gateway)
　　
All machines on the 10.10.1.0 network must use 10.10.1.1 as the gateway. if this is not the case, it will not work properly.
　　
2.5. Machine B settings
　　
2.5a./etc/cipe/ip-up
　　
# A trimmed down version of the sample ip-up that comes with
Distribution
#! /Bin/sh
Umask 022
PATH =/sbin:/bin:/usr/sbin:/usr/bin
Echo "UP $ *">/tmp/cipe
Echo $3>/var/run/$ 1.pid
# The author tends to create different files when setting the routing, as detailed below.
2.5b./etc/cipe/options. machineA
　　
# Device domain name
Device cip3b0
# The peers internal (fake) ip address
Ptpaddr 10.10.1.1
# My cipe (fake) ip address
Ipaddr 10.10.2.1
# My real ip address and cipe port
Me (real ip 1) :( port)
# The peers ip address and cipe port
Peer (real ip 2) :( port)
#128-bit encryption key, which should be kept confidential
Key (Key)
2.5c./etc/cipe/setroute
　　
#! /Bin/sh
# Set the routing table file
# Set the routing table of Machine
/Sbin/route add-host 10.10.1.1 dev cip3b0
/Sbin/route add-net 10.10.1.0 netmask 255.255.255.0 gw 10.10.1.1
2.5d./etc/rc. d/rc. local
　　
Echo processing ing VPN network
/Usr/local/sbin/ciped-o/etc/cipe/options. machineA
/Etc/cipe/setroute
2.5e. Firewall rules
　　
(For more information, see 2.4f)
　　
# Flush all incoming firewall rules and