You mean protocol forwarding. Ipencap is protocol 4. If your ampr
gateway is behind a traditional NAT router, you need to find a way to
forward protocol 4 to it.
An example is (where 192.168.1.10 is your ampr gateway):
iptables -t nat -A PREROUTING -p 4 -j DNAT --to 192.168.1.10
Depending on your router you might be able to this via some sort of
script (firewall) input box or via the CLI. Short of that, you could
always try pointing DMZ to your gateway.
The reply route for anything coming in via the internet must send the
reply thru UCSD. So something like this must exist:
ip route add default dev tunl0 via 169.228.34.84 onlink table 44
And of course to get stuff off the internet to your gateway requires
an
ampr.org DNS entry.
On Sun, Mar 3, 2019 at 2:16 PM Bent Bagger via 44Net
<44net(a)mailman.ampr.org> wrote:
Hi
I have acquired myself a problem. Recently I decided to move all web
services away from the gateway to an ‘inner’ server. This is easily done
by using port forwarding in the firewall on the gateway. Thus I forward
all web services by using this line:
iptables -t nat -A PREROUTING -p tcp -m multiport --dport $Services -d
$EXT_IP -j DNAT --to $webserver
where $Services is defined as
Services="smtp,domain,www,https,submission,imaps",
$EXT_IP is my external IP address and $webserver is the IP address of
the ‘inner’ server.
I do the same for the ampr interface:
$iptables -t nat -A PREROUTING -p tcp -m multiport --dport $Services -i
ampr0 -j DNAT --to $webserver
In this case it is only the www and https services that are relevant
since I do not do mail on the 44-address.
All of this works of course as it should for ordinary IP addresses
(non-44) and it also works fine when comming from a 44-address.
Furthermore it works fine when I ping my 44-address from any IP address
(which isn't surprising as ICMP is not forwarded). But it fails
miserablywhen accessing my 44-address (44.145.40.3) from an ordinary IP
address. The incomming request comes nicely in on the ampr interface,
but the reply goes out the WAN interface to the Internet at largeand is
thus not recognized as a reply on the originating host.
I have spent quite a bit of time trying to findout why this is so. I’m
convinced it is something in my setup that is the cause of this
behavior, but I’m at a loss as what it may be, so I hope some of you
eagle-eyed people out there can spot the error.
Here are somedetails of my setup.
Routing rules:
$ip rule list
0: from all lookup local
44: from all to 44.0.0.0 /8 lookup ampr
45: from 44.145.40.3 lookup ampr
32766: from all lookup main
32767: from all lookup default
Main routing table:
$ip route list
default via 86.48.99.33 dev enp0s7 metric 3
127.0.0.0/8 via 127.0.0.1 dev lo
192.168.19.0/24 dev enp0s6 proto kernel scope link src 192.168.19.6
‘ampr’ routing table (table 44) (excerpts):
$ip route list table ampr | head -n4
default via 169.228.34.84 dev ampr0 onlink
44.2.0.1 via 191.183.136.1 dev ampr0 proto 44 onlink window 840
44.2.2.0/24 via 216.218.207.198 dev ampr0 proto 44 onlink window 840
44.2.7.0/30 via 98.208.73.100 dev ampr0 proto 44 onlink window 840
My gateway is a Soekris Net5501 running Gentoo Linux updated to the
latest versions last Monday.
I do hope I have expressed myself clearly enough and provided details
enough so that one of you can point at something and say: ‘there is your
error’. If some information is missing or lacking please ask for it and
I’ll provide as much as I can.
Best 73 de Bent/OZ6BL
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net