Isn't it easier to use 2 accept rules?
- First, accept IPIP on outer interface - this will allow the tunnel interface to work (whatever rule you want to apply)
iptables -A INPUT -i eth0 -p ipencap (...) -j ACCEPT
- and next, set a set only for RIP on the tunnel itself, since they will come in via the tunnel interface, to accept only RIP from amprgw:
iptables -A INPUT -i tunl0 -p udp -s 44.0.0.1 --sport 520 --dport 520 -j ACCEPT
- and drop all other RIP from anywhere else
iptables -A INPUT -p udp -s 44.0.0.1 --dport 520 -j DROP
Marius, YO2LOJ
On 26/01/2022 03:35, lleachii--- via 44Net wrote:
All,
I thought on some security matters of AMPRNet; and one that could not be mitigated easily was:
* even if you firewall IPENCAP, how to block others except AMPRGW from sending routes to port 520/udp
Someone mentioned previously they saw a MAC that was a hash that contained the outer SRC IP; but after years, I cannot find an OS Kernel that produces it.
I believe have a solution, it required some hexadecimal calculations (see: http://www.stearns.org/doc/iptables-u32.current.html).%C2%A0Using the u32 iptables module for those who can (and a compatible module on on other systems), we need to merely find in the bit/byte positions in the packet:
Outer Header:
- the IP of AMPRGW (0xa9e42254)* Protocol type IPENCAP (IP Protocol No. 4) (0x04)
Inner Header (add 20 bytes to the offset of the first header):
- SRC IP 44.0.0.1 (0x2c000001)
- Protocol UDP (0x06)* UDP - port 520 (0x0208)
I believe this should read as an iptables rule like:
iptables <foo> -m u32 --u32 "12&0xFFFFFFFF=0xA9E42254 && 6&0xFF=0x04 && 32&0xFFFFFFFF=0x2c000001 && 26&0xFF=0x06 && 212&FFFF=0x0208" -j ACCEPT
My question: has anyone already calculated these positions and values or tested before?
I didn't want to have to "reinvent the wheel"...but you can just check my math now before attempting to implement.
73,
Lynwood
KB3VWG
Member W3PGC/K3ERA - APRS Coordinator / Co-SkyWarn Coordinator _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net