8 Jun
2017
8 Jun
'17
1:38 p.m.
Yep... /32 works perfectly. Also had to add a rule (priority 48) to use
table 44 on my router whenever I go to 44 land from the router... Rules
in place at the moment are:
These are the ones I learned from you. I've done extensive
experimentation and modifications to them to break them and see what
makes them tick...
ip rule add to 44.98.63.0/29 table main priority 44
ip rule add dev tunl0 table 44 priority 45
ip rule add dev eth2 table 44 priority 46
ip rule add from 44.98.63.0/29 table 44 priority 47
These next two I found are necessary:
The priority 48 rule forces my lan machines to NOT use my AMPR tunnel to
go to other 44/8 addresses. It removes the need for me to NAT, but more
importantly it prevents others (unlicensed) who have access to my
wireless lan (nieces/nephews, sister-in-law) from going anywhere on
AMPRnet unless they access publicly available sites through the AMPR
gateway.
ip rule add from 172.27.141.0/24 to 44.0.0.0/8 table main priority 48
Priority rule #49 is the magic sauce that allows me to use the router
(my AMPR gateway) to perform network tests (mtr, traceroute, ping etc)
from the router to other 44/8 space. Without it these network tests go
out the external interface and in through the AMPR-GW. I've tested with
the rule in place and disabled and it works exactly as I expect.
ip rule add to 44.0.0.0/8 table 44 priority 49
So... I've arrived at what I would call the final solution for my
startampr script. It's been a bumpy road and I would have never gotten
here or learned what I've learned thus far without your assistance. I'm
currently working on the firewall script to protect the router. I'm
including stuff I learned from your ipipfilter.sh bogon filter and I'm
also including my adaptive firewall from the past that handles brute
force attackers (aka script kiddies) in real-time. I've seen lots of
attempts to get in to my SSH port mainly from CN and RU based
(ipdeny.com) IP space...
I'll be publishing my long bumpy road once I get the firewall stable and
my web server registered in DNS... at last check Jerry hasn't responded
to my requests to modify my DNS entries.
---tom
Tom Cardinal/N2XU/MSgt USAF (Ret)/BSCS/CASP, Security+ ce
On 6/8/2017 03:54, lleachii--- via 44Net wrote:
Tom,
Will try it along with Marius'
suggestion to put 44.98.63.6/8 on tunl0.
I'm not 100% sure this works on
Linux, you should probably use a /32
from your allocation:
- Packets comes to your border for your subnet
- Your tunl0 is in the network 44.0.0.0/8
- It has no need to forward the packet
The mere fact that the single IP is not assigned may work (i.e.
kmod-ipip removes the header and places it in the netfilter chain); but
if you were to change ip rules, this might cause an anomaly. Using /32
is better, I recall that being our friend's suggestion to me over the
years.
- KB3VWG
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net