7 Jun
2017
7 Jun
'17
3:22 a.m.
This could be me or maybe not.
I got online a few weeks ago with Lynwood's help without it I'd still be
offline. Since then I've been attempting to take my script apart and
put it back together in an attempt to understand what makes it work and
what breaks it
From a workstation on my segment I am able to ping, browse and pretty
much do anything I'd expect to be able to do. The problem arises if I
attempt to ping or traceroute on my gateway to anything in the AMPRnet.
No matter what routes exist in my routing table (44) and what rules I
create, any and all attempts to connect to an AMPR ip INSIST on going
out through eth0 OR tries to use the external IP of my gateway box on
the tunl0 interface.
I'm using an ubuntu 16.04 lts box with the latest ampr_ripd (2.3).
Configuration is:
eth0 - isp provided address (DHCP) (IPTables Masqueraded interface for LAN)
eth1 - home LAN on RFC 1918 IP space 192.168.1.254/24
eth2 - 44.98.63.6/29 My AMPR segment
tunl0 - Tunnel to the rest of the AMPRNET. (no IP Address assigned)
Asi Isaid earlier, from the gateway I can't initiate connections through
the tunl0 interface even though everything works from an AMPR IP (listed
in DNS) on my segment. I'm putting my start script up here. Firewall
is in a separate script with nothing blocked at the moment (wide open),
I normally run a pretty restrictive firewall and will re-lock it down
when I get things sorted out.
---- startampr script ----
#!/bin/sh
### ENABLE IP FORWARDING ###
sysctl -w net.ipv4.ip_forward=1
### Allows traceroute to respond using 44net IP of tunl0 or br-amprlan
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr
### AMPRNet IPENCAP ###
modprobe ipip
ip tunnel add tunl0 mode ipip
### Bring the tunl0 interface up ###
ip link set tunl0 mtu 1480 up
ip tunnel change tunl0 ttl 64 pmtudisc
### ROUTING
### Set default route
ip route add default dev tunl0 via 169.228.34.84 onlink proto 44 table 44
### OPTIONAL LOCAL RULES
ip rule add from 44.98.63.0/29 to 192.168.1.0/24 table main priority 22
ip rule add from 192.168.1.0/24 to 44.98.63.0/29 table main priority 23
####REQUIRED RULES
### Handles routing between local AMPR segment and External AMPR network
ip rule add to 44.98.63.0/29 table main priority 44
ip rule add dev tunl0 table 44 priority 45
ip rule add dev eth2 table 44 priority 46
ip rule add from 44.98.63.0/29 table 44 priority 47
### RUN AMPR-RIPD
/usr/sbin/ampr-ripd -i tunl0 -t 44 -a 44.98.63.0/29 -s -x
'/etc/ampr/load_ipipfilter.sh' -p <password>
#### End startampr script ####
If I try to add a route to 44.0.0.0/8 with this command:
ip rule add to 44.0.0.0/8 table 44 priority 48
and then I do "ip route get 44.0.0.1" I get the following output:
root@blackjack:~# ip route get 44.0.0.1
44.0.0.1 via 169.228.34.84 dev tunl0 src 68.109.14.113
cache window 840
When the priority 48 rule in place, my workstation on my 44net segment
loses connectivity through the tunnel... Perhaps my ip rule commands are
incomplete. I know I'm close, but what am I missing? Are there any
policy routing experts that can help explain what I'm missing and why
what I have doesn't work if I try to ping/traceroute/mtr on the gateway?
--
Tom Cardinal/N2XU/MSgt USAF (Ret)/BSCS/CASP, Security+ ce