I'm also using a standard Ubuntu Linux Server 11.10 using rip44d and a Web Application
providing a GUI named Webmin. This is a quick overview on setup.
This setup can be done with telent and SSH; for simplicity of those who know the command
line syntax, I will omit the necessaries.
1.) - with IP forwarding (Routing) enabled in /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
2.) - I installed webmin (a Web GUI application for servers) package to better enable on
the fly IPtables Firewall configurations, NAT, masquerade, etc. (these configurations
allowed me to have this server as router for my 44.60.44/24 subnet over AMPR, while having
the ability to also have a private 192.168/24 subnet that uses my standard non-tunneled
gateway IP address from my ISP. PE1CHL recommended table-based policy routing; it
configures any 44/8 address to use a routing tabled named "44," all other
traffic is routed on main. If you setup this router to use NAT or Masquerade for a private
network using your ISP's gateway, there will also be entries in the "nat"
table. An edit to the rip44d script is necessary to place the 44/8 routes into a routing
table named "table 44."
3.) - eth0 was configured at setup as the device connected to the Gateway address.
4.) - In this example, eth1 is the Ethernet interface that will be used as you LAN side
providing your 44 Addresses (in this example 44.128.0.0/24) of the router connection (if
you do not have access to another NIC, you may also want to set this up virtually to the
address on your LAN if this is not the routing device for your physical network).
Interface tunl0 is the default Linux IPIP encapsulation tunnel. The example/testing subnet
44.128.0.0/24 will be the subnet assigned to the gateway on tunl0 and eth1 used here.
5.) - with the help of Brian and PE1CHL, I then created a script named
/usr/local/sbin/startampr to run on boot (it can be setup to run at boot in the webmin GUI
under "Bootup and Shutdown"
### Enables AMPR IPIP Tunnel Interface
modprobe ipip
ip addr add 44.128.0.2/24 dev tunl0
# gives tunnel its own TTL enabling traceroute over tunnel
ip tunnel change ttl 64 mode ipip tunl0
ip link set dev tunl0 up
### Creates AMPR Default Routes on main Route Table
#route to 44.128.0.0/24 on main route table
ip rule add to 44.128.0.0/24 table main priority 1
### Specifies Routes to and from 44/8 are entered on Route Table 44
ip rule add from 44.0.0.0/8 table 44 priority 44
ip rule add to 44.0.0.0/8 table 44 priority 45
### Creates Default Route to the AMPRGW and the
### Internet At-large, on the 44 Router
## Per PE1CHL: 'This is "required" to get routing of the net-44 traffic
correct
## and have a default route for the tunneled traffic different from the default
## route of the system. It may be possible to get it working without this,
## but policy based routing is so much easier'
# AMPRGW connects via eth0
ip route add 169.228.66.251 dev eth0 table 44
# Connection to 0/0 by 44/8 Hosts on AMPRGW, commenting disables Internet Access for your
44 subnet
ip route add default dev tunl0 via 169.228.66.251 onlink table 44
### this can be omitted if your device will not provide separate local traffic - KB3VWG -
This adds a route to the local subnet on the 44 route table
ip route add 192.168.0.0/24 dev eth0 table 44
### Begins the rip44d Router
./usr/local/sbin/rip44d_table44 -a <my public gateway IP> -p <the password>
< /dev/null &
6.) Table rip44d_table44 is a script editing the rip44d file to place the AMPR routing
table into "Table 44":
Line 201
- $cmd = "LANG=C $routebin route add $rkey via $nexthop dev $tunnel_if window
$tcp_window onlink";
+ $cmd = "LANG=C $routebin route add $rkey via $nexthop dev $tunnel_if window
$tcp_window onlink table 44";
7.) The routers 'main' Firewall
Accept If state of connection is ESTABLISHED
Accept If state of connection is RELATED
* Accept If protocol is ICMP and ICMP type is echo-request
* Accept If protocol is UDP and destination port is 33434:33534
+ Accept If protocol is TCP and destination port is 10000
+ Accept If protocol is UDP and source is 44.0.0.1 and input interface is tunl0 and
source and destination ports are 520
+ Accept If protocol is TCP and destination destination port is 22
(if you have other services on your Router machine, you would accept their IP's,
source, destinations, etc. here)
+ - enables: webmin, rip44d and SSH respectively, you may further restrict this access to
SSH or Webmin configuration by specifying allowed hosts, subnets, etc.
8.) IP Forwarding [the Router's] Firewall
Accept If state of connection is ESTABLISHED
Accept If state of connection is RELATED
* Accept If protocol is ICMP and ICMP type is echo-request
* Accept If protocol is UDP and destination port is 33434:33534
Accept If source is 44.128.0.0/24
Accept If source is 192.168.0.0/24
(if you have services on devices inside your subnet, you would accept their destination
IP's ports, source, destination ports, etc.)
9.) Network Address Translation Firewall (only needed if routing traffic from a private
network [eg 192.168.0.0/24] not carrying 44 Traffic)
Accept If source is 192.168.0.0/24 and destination is 44.128.0.0/24
Masquerade If source is 192.168.0.0/24 and destination is 0.0.0.0/0
Accept If source is 44.128.0.0/24
Accept If destination is 44.128.0.0/24
10.) as you create AX.25 interfaces, etc, ensure you enable those protocols, etc in the
firewalls.
NOTE: Accepting echo-request and protocol is UDP ports 33434-33534 enable Unix and
windows based ping and traceroutes from the Internet, you can also place further
restrictions on those rules.
11.) Typing the command
# ip route list table 44
default via 169.228.66.251 dev tunl0 onlink
<between here should be many lines of 44.x.x.x direct IPIP Encapsulated routes that are
populated by rip44d from 44.0.0.1 over the tunnel (e.g. '44.x.x.x/x via x.x.x.x dev
tunl0 onlink window 840')>
169.228.66.251 dev eth0 scope link
192.168.0.0/24 dev eth0 scope link
~73,
KB3VWG
Show replies by date
With all due respect, I would not recommend Webmin. There are way too many
vulnerabilities associated with the application, Maybe if you contained it
in a management vlan? I have long ago removed it from the servers here.
Some Linux OS have removed it completely from their available packages.
The intel Atom D525 is running good with no errors so far. Just wanted to
share the .config for others to consider.
Best Regards, JohnF