________________________________
Its cisco
i tried to send print screen of th show interface tunnel0 but the message didnt go with it ...
config is as follows
the cisco sit on the DMZ of the DSL router
the relevant part of the config is as follows
this router was working t my home and only the fellow changes his IP to meet his network
the router can ping the 169.228.66.251
interface Tunnel0
ip unnumbered Ethernet0
tunnel source Ethernet0
tunnel destination 169.228.66.251
tunnel mode ipip
!
interface Ethernet0
ip address 44.138.1.1 255.255.255.0 secondary
ip address 44.138.0.8 255.255.255.0 secondary
ip address 10.0.0.20 255.255.255.0 secondary
ip address 192.168.2.140 255.255.255.0
ip route-cache flow
ip tcp adjust-mss 1360
hold-queue 100 out
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 Tunnel0 169.228.66.251
ip route 8.8.8.8 255.255.255.255 Ethernet0 10.0.0.138
ip route 169.228.66.251 255.255.255.255 Ethernet0 10.0.0.138
!
________________________________
From: 44Net <44net-bounces+ronenp=hotmail.com(a)hamradio.ucsd.edu> on behalf of Todor Kandev <todor(a)kandev.com>
Sent: Tuesday, August 23, 2016 11:28 PM
To: AMPRNet working group
Subject: Re: [44net] ipip tunnel problem for new gateway
(Please trim inclusions from previous messages)
_______________________________________________
Having issues with my crystal ball this morning... :D
What is your friend using (openwrt, mikrotik, cisco, linux, washing
machine, toaster...?) and how it's configured?
73,
LZ1ETE
On Wed, Aug 24, 2016 at 9:23 AM, R P <ronenp(a)hotmail.com> wrote:
> (Please trim inclusions from previous messages)
> _______________________________________________
>
>
>
> ________________________________
>
>
> ________________________________
>
>
> Hi there
>
> im helping a local ham to set up a gateway and i get strange behave
>
> the amprgw is accessible from his router the ipip table at the portal
> POINTfor the correct ip
>
> the router accessible from the outside world
>
> the tunnell interface according to the cisco is up but it look like that
> no data flow to the income
>
> how can i track where the problem is ?
>
> any help is appreciated
>
> thanks forward
>
> Ronen - 4Z4ZQ
>
> http://www.ronen.org
Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
www.ronen.orgronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
>
> Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
> www.ronen.org<http://www.ronen.org>
> ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
>
>
>
>
________________________________
________________________________
Hi there
im helping a local ham to set up a gateway and i get strange behave
the amprgw is accessible from his router the ipip table at the portal POINTfor the correct ip
the router accessible from the outside world
the tunnell interface according to the cisco is up but it look like that no data flow to the income
how can i track where the problem is ?
any help is appreciated
thanks forward
Ronen - 4Z4ZQ
http://www.ronen.org
Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
www.ronen.orgronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
Hi
can anyone explain why i get every second ping missing packets from AMPRGW ?
it happen not only from my PC also from other places ...
Regards
Ronen-4Z4ZQ
http://www.ronen.org
Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
www.ronen.orgronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
C:\Documents and Settings\customer>ping 169.228.66.251
Pinging 169.228.66.251 with 32 bytes of data:
Request timed out.
Reply from 169.228.66.251: bytes=32 time=336ms TTL=40
Request timed out.
Reply from 169.228.66.251: bytes=32 time=286ms TTL=40
Ping statistics for 169.228.66.251:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 286ms, Maximum = 336ms, Average = 311ms
C:\Documents and Settings\customer>
Hello,
as far as I know, 44.128.0.0/16 is reserved for testing and experimentation and should be treated much like an RFC1918 subnet. That means it will not be routable to anyone (although it is advertised on BGP). So I have a few questions about its use:
1. Can an AMPRNet member use 44.128.0.0/16 in their home instead of, let’s say, 192.168.1.0/24? Note that I am not talking about routing these addresses, just use them in a non-connected place.
2. Can a non-ham use 44.128.0.0/16 in their home instead of, let’s say, 192.168.1.0/24?
3. Can a company use 44.128.0.0/16 for their intranet, instead of, let’s say, 10.0.0.0/8?
Note than in all three cases, nobody is connected to 44net gateways and just use the network like any other private address. I am aware that there’s no technical limitation in doing this and there are hardly any benefits from doing this, however I am asking for informational purposes.
Thanks!
Waldek,
Have you enabled connection tracking for the relevant
bridge/VLANs/tunnels, etc. that pass traffic (as this is disabled by
default on some systems for non-masqueraded traffic)?
In addition, is your default iptables forwarding policy REJECT or DROP,
instead of ACCEPT?
73,
Lynwood
KB3VWG
That "Requesting a Block" page has a lot of personal opinion it and also contains directives that may
be valid for some regions but not for others. This already starts with the first line.
Here in the Netherlands we don't use the portal for requesting blocks, only for registering blocks that are to be
used for IPIP tunnels. So requesting a block does not start with the portal, but with mailing a request for a block
to me and allocation of the block in the hostsfile for 44.137.0.0/16 followed by updating the DNS via the robot.
Once that is done, it can optionally be registered in the portal. I recommend users not to do this unless they
want to setup a gateway, because registered subnets that are not claimed by a gateway are up for grabs by
other gateway operators, and given that we have widely varying skills among out users it has repeatedly happened
that users (who often not even understand what it means and requires to run an IPIP gateway) create a gateway
entry and add someone else's subnet to it by mistake. This then cannot be corrected by either the owner of
the subnet or the coordinator of the IP space. It requires a "contact the portal admin" form entry to correct it
and that may take a long time to be acted upon. (I still have two open requests of that type)
I also don't agree with the "don't waste space" adagium. I allocate whatever is required for the experiment,
and now that we are using BGP internally on the radio network, that also includes /30 and /29 networks for
point-to-point links (/30 for links with only a router at each end, /29 when it is desired to have AP managment
addresses). Unlike on the internet, we have no lack of IPv4 space on AMPRnet!
There is no point in using RFC1918 addresses for this, and it causes problems with ICMP messages returned
from those routers, e.g. when using traceroute. I also don't agree with "an ISP uses unroutable addresses for
routers". Maybe some ISPs do that, but probably most do not.
About RFC1918 filtering: YES, everyone should filter RFC1918 addresses at every entry and exit into the network.
There are many configuration mistakes in ham networks, and I often see log results on those filters (which I
have configured with logging on our gateway). RFC1918 addresses come in via IPIP tunnels from all over the
world and also from radio. Of course it requires detailed knowledge of networking, policy routing, and NAT rules
to get a mixed net44/rfc1918 LAN correctly connected to AMPRnet (with NAT or blocking for the RFC1918 systems)
and let's face it: many users simply don't have that knowledge and are just trying.
So, everyone else should filter that traffic so that at least it does not get propagated far. I sometimes send mail
to repeat offenders and they often promise me that they will look at it, but it rarely stops completely.
Rob
> I have use tcpdump to check how working iptables
> I have try block this traffic by
> but not working for me
Again: you can NOT test it this way!
tcpdump will show you all packets even when you are dropping them in the filter.
I know this is sometimes a nuisance. It is difficult to test if your filters are working.
When your filter has the structure of:
- some packets dropped
- some other packets dropped
- more packets dropped
- all remaining packets accepted
(note that this is normally not a preferred structure of your blocklist)
you can work around it by inserting a rule like this just before the last ACCEPT rule
(or at the end of the table when the default setting is ACCEPT, again not a preferred situation):
iptables -A INPUT -i tunl0 -j NFLOG --nflog-group 44
This will send the packets to a "netfilter logging" interface where you can trace it with:
tshark -i nflog:44
(I don't think tcpdump supports dumping nflog interfaces but this may depend on version)
The result of this is that all packets that have already been dropped above that rule will
not reach the NFLOG target and will not be traced when you trace nflog:44.
However, it is normally preferred to work with a "default drop" setup. You accept all
packets that you know you want to accept, and drop everything else at the end of the table.
This makes it less likely that things pass by that you did not think about, like other
protocols than TCP and UDP.
It is still possible to have NFLOG logging of everything that is accepted, by first
creating a helper table like this:
iptables -N NFLOGACCEPT
iptables -A NFLOGACCEPT -j NFLOG --nflog-group 44
iptables -A NFLOGACCEPT -j ACCEPT
Then you setup your filter table like this:
iptables -A INPUT -i tunl0 -..... -j NFLOGACCEPT
iptables -A INPUT -i tunl0 -..... -j NFLOGACCEPT
iptables -A INPUT -i tunl0 -j DROP
Rob
> I have try block non 44/8 traffic via tunnel IPIP with iptables but without
> success
> I have use ampr-ripd to create port 'tunl0'
> I have add to firewall rule:
> iptables -A INPUT -i tunl0 -p all ! -s 44.0.0.0/8 -j DROP
> iptables -A FORWARD -i tunl0 -p all ! -s 44.0.0.0/8 -j DROP
> but I have still a lot of traffic via tunl0 non 44/8 ip address and it is
> look like this not working for me
How did you validate that you still have the traffic?
Does such traffic still reach an open port on your system or a system behind it?
E.g. when you have telnet or ssh running, can you still telnet or ssh from internet?
Note that using a trace tool like "tcpdump" or "tshark/wireshark" is NOT a valid way
of testing of those filters work!
When you do "tshark -i tunl0" with the above filters in place, you will still see the traffic.
This is because tshark and tcpdump trace the real traffic on those interfaces BEFORE the filters
have been applied.
Rob
Hi
I have try block non 44/8 traffic via tunnel IPIP with iptables but without
success
I have use ampr-ripd to create port 'tunl0'
I have add to firewall rule:
iptables -A INPUT -i tunl0 -p all ! -s 44.0.0.0/8 -j DROP
iptables -A FORWARD -i tunl0 -p all ! -s 44.0.0.0/8 -j DROP
but I have still a lot of traffic via tunl0 non 44/8 ip address and it is
look like this not working for me
I have add one more rule like where eth0 is my internet port
iptables -A OUTPUT -o eth0 -s 44.0.0.0/8 -j DROP
and it is help me to not send to internet 44/8 ip traffic but I would like
block incoming non 44/8 IP address via tunnel
--
Waldek sp2ong
