Yep... /32 works perfectly. Also had to add a rule (priority 48) to use table 44 on my router whenever I go to 44 land from the router... Rules in place at the moment are:
These are the ones I learned from you. I've done extensive experimentation and modifications to them to break them and see what makes them tick... ip rule add to 44.98.63.0/29 table main priority 44 ip rule add dev tunl0 table 44 priority 45 ip rule add dev eth2 table 44 priority 46 ip rule add from 44.98.63.0/29 table 44 priority 47
These next two I found are necessary: The priority 48 rule forces my lan machines to NOT use my AMPR tunnel to go to other 44/8 addresses. It removes the need for me to NAT, but more importantly it prevents others (unlicensed) who have access to my wireless lan (nieces/nephews, sister-in-law) from going anywhere on AMPRnet unless they access publicly available sites through the AMPR gateway. ip rule add from 172.27.141.0/24 to 44.0.0.0/8 table main priority 48
Priority rule #49 is the magic sauce that allows me to use the router (my AMPR gateway) to perform network tests (mtr, traceroute, ping etc) from the router to other 44/8 space. Without it these network tests go out the external interface and in through the AMPR-GW. I've tested with the rule in place and disabled and it works exactly as I expect. ip rule add to 44.0.0.0/8 table 44 priority 49
So... I've arrived at what I would call the final solution for my startampr script. It's been a bumpy road and I would have never gotten here or learned what I've learned thus far without your assistance. I'm currently working on the firewall script to protect the router. I'm including stuff I learned from your ipipfilter.sh bogon filter and I'm also including my adaptive firewall from the past that handles brute force attackers (aka script kiddies) in real-time. I've seen lots of attempts to get in to my SSH port mainly from CN and RU based (ipdeny.com) IP space...
I'll be publishing my long bumpy road once I get the firewall stable and my web server registered in DNS... at last check Jerry hasn't responded to my requests to modify my DNS entries.
---tom Tom Cardinal/N2XU/MSgt USAF (Ret)/BSCS/CASP, Security+ ce
On 6/8/2017 03:54, lleachii--- via 44Net wrote:
Tom,
Will try it along with Marius' suggestion to put 44.98.63.6/8 on tunl0.
I'm not 100% sure this works on Linux, you should probably use a /32 from your allocation:
- Packets comes to your border for your subnet
- Your tunl0 is in the network 44.0.0.0/8
- It has no need to forward the packet
The mere fact that the single IP is not assigned may work (i.e. kmod-ipip removes the header and places it in the netfilter chain); but if you were to change ip rules, this might cause an anomaly. Using /32 is better, I recall that being our friend's suggestion to me over the years.
- KB3VWG
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net