Lynwood helped me when I came online. I learned a lot from Lynwood, he helped me sort my routing table out. I have not been doing a lot lately with my little piece of the AMPRnet but it seems to work. My script isn’t exactly letter perfect but I incorporated the ipset ipipfilter that he sent me. I’ve also used the iptables recent module to drop brute force attempts on SSH against my 44net gateway address.
My gateway is currently a raspberry pi with a usb interface as the external interface running in a DMZ behind a pfSense router. It works well because the only traffic that hits my AMPR gateway is the ipip tunneled traffic thus simplifying my routing table.
Sent from my iPad
Tom/N2XU
On Jan 10, 2019, at 7:28 PM, LLEACHII--- via 44Net 44net@mailman.ampr.org wrote:
Rob,
I never noted I have a problem. The ipset script is the one I currently use. As I recall, the iptables was verbatim from another operator - and it worked as well. I can't recall who gave me that script. The ipset script is the one I edited, per your message in 2018. I have made no updates to the iptables script; and left lots of old notes and comments intact - hence some of the comments may disagree.
I edited it to use ipset approximately 2 years ago, hence the remaining while statement. I'm sure anyone utilizing the ipset script would like it be as straightforward as possible - are you suggesting (pseudo-code confuses me):
#!/bin/sh # load encap.txt into ipipfilter list
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" AMPRGW="<AMPRGW>"
cd /var/lib/ampr-ripd || exit 1
ipset -N ipipfilter hash:ip 2>/dev/null ipset flush ipipfilter ipset -A ipipfilter $AMPRGW
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip do ipset -A ipipfilter $ip done
I tested it and it seems to work. Also believe diffutils doesn't need to be installed, either. I'll update the OpenWrt Wiki.
I only noted it in this particular best practices/tools thread due to messages in SEP2018: https://mailman.ampr.org/mailman/private/44net/2018-September/009294.html
I like to "lock down" my router as much as possible. I do understand we've chatted in the past that my methods may be too paranoid; but I'd prefer to have a extra step to secure the IPENCAP interface.
73,
- Lynwood
KB3VWG
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net