5 Aug
2013
5 Aug
'13
5:09 a.m.
Hi all,
Is anyone using a DD-WRT router (I use a TL-WR1043ND with DD-WRT) for
his/her AMPRnet GATEWAY 44.154.0.1?
I have the following problem here. I have included support in my
DD-WRT Router's IPTABLES for IPIP (IP Protocol 4) with the command
"iptables -t nat -A PREROUTING -p 4 -j DNAT --to 192.168.250.66" in
it's Firewall, but this does not seem to work.
I wonder if I need to also port forward UDP port 520 to the same IP,
but I don't think so because I think rip44d uses UDP port 520 for
outgoing packets only.
When I put my GATEWAY's ethernet IP (192.168.250.66) in DMZ then
rip44d works fine, but then my AMPRnet GATEWAY is really exposed and I
need to write an extensive IPTABLES SCRIPT.
Is there a way for rip44d to work behind NAT?
Is my "iptables -t nat -A PREROUTING -p 4 -j DNAT --to 192.168.250.66"
command enough for my DD-WRT or am I wrong?
Could anyone help please?
73 de Demetre SV1UY
IP coordinator for AMPRnet in Greece
e-mail demetre.sv1uy(a)gmail.com
5 Aug
5 Aug
5:21 a.m.
Hello Demetre,
First, you need to open port 520.
Then try to put your local machine into DMZ zone,
as it HAS TO BE SEEN by amprgw server...
I did it, and it worked for me.
Best regards.
Tom - sp2lob
5:29 a.m.
Hi Tom,
Thanks for quick reply. I have opened UDP port 520 in NAT to point to
my GATEWAY's ethernet port, but is this necessary when I have already
put my GATEWAY's ethernet port IP to DMZ?
Also do I need to open port 520 UDP, TCP or both?
Any ideas please?
73 de SV1UY
On Mon, Aug 5, 2013 at 12:21 PM, <sp2lob(a)tlen.pl> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Hello Demetre,
First, you need to open port 520.
Then try to put your local machine into DMZ zone,
as it HAS TO BE SEEN by amprgw server...
I did it, and it worked for me.
Best regards.
Tom - sp2lob
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
http://www.ampr.org/donate.html
--
73 de SV1UY
Demetre Ch. Valaris
IP Coordinator for AMPRnet in Greece
e-mail: demetre.sv1uy(a)gmail.com
Radio e-mail: sv1uy(a)winlink.org
(to use my radio e-mail put //WL2K in the beginning of the subject line)
http://www.qsl.net/sv1uy
5:34 a.m.
Demetre,
Yes, Raspberry PI is in DMZ zone.
In addition, port 520 is opened as well,
both TCP/UDP - just in case, Hi!
Best regards.
Tom - sp2lob
5:42 a.m.
And what about firewalling your Rpi. When it is on DMZ it is exposed!
73 SV1UY
On Mon, Aug 5, 2013 at 12:34 PM, <sp2lob(a)tlen.pl> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Demetre,
Yes, Raspberry PI is in DMZ zone.
In addition, port 520 is opened as well,
both TCP/UDP - just in case, Hi!
Best regards.
Tom - sp2lob
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
http://www.ampr.org/donate.html
--
73 de SV1UY
Demetre Ch. Valaris
IP Coordinator for AMPRnet in Greece
e-mail: demetre.sv1uy(a)gmail.com
Radio e-mail: sv1uy(a)winlink.org
(to use my radio e-mail put //WL2K in the beginning of the subject line)
http://www.qsl.net/sv1uy
5:48 a.m.
Demetre,
Well, you're right...
I have ONLY couple of necessary ports opened in TL-MR3420.
Therefore I decided not to use any firewalling.
No troubles so far...
Just in case, I have full backup of Raspi system.
Best regards.
Tom - sp2lob
11:40 a.m.
Unless you are forwarding the decapsulated packets from your DD-WRT
towards a host inside the NATted LAN, you don't need to bother about
ports. Packets from the AMPRnet Mesh use IPIP protocol(protocol number
94), so the Layer 4 is not necessarily visible to DD-WRT as these
packets fill contain 2x Layer 3.
You will need to forward IPIP protocol packets from the DD-WRT to your
internal AMPRnet gateway.
On your AMPRnet gatway (not DD-WRT) you will eventually need to allow
packets towards port 520/udp in your iptables if you are using
iptables on your internal gateway.
Please also don't confuse opening a port and opening a port (yes! your
wording is weak... H-I)
You should make a difference between allowing a packet to be forwarded
(iptables table FORWARD) by a router and a packet to be received
(iptables table INPUT) by a host.
In case you are combining DNAT and FORWARDing on 1 machine (you
usually do), you may eventually need to apply
iptables -t NAT -A PREROUTING -p 94 -j DNAT --to 192.0.2.1
iptables -A FORWARD -p 94 -d 192.0.2.1 -j ACCEPT
in case you are not allowing packets to be forwarded by default or
have configured a rule to disallow unknown traffic.
On the AMPRnet Gateway (not your DD-WRT) you will eventually need to
allow IPIP inbound packets on eth0 and allow packets towards port
520/udp.
iptables -A INPUT -i eth0 -p 94 -j ACCEPT
iptables -A INPUT -i tunl9 -p udp --port 520 -j ACCEPT
YMMV depending on the linux flavor/blend.
73 de Marc, LX1DUC
Quoting sp2lob(a)tlen.pl:
(Please trim inclusions from previous messages)
_______________________________________________
Hello Demetre,
First, you need to open port 520.
Then try to put your local machine into DMZ zone,
as it HAS TO BE SEEN by amprgw server...
I did it, and it worked for me.
Best regards.
Tom - sp2lob
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
http://www.ampr.org/donate.html
12:11 p.m.
Hi Marcus,
Thanks for reply. I will follow your instructions when I return home tonight.
Please let me know, is the DMZ thing necessary if I follow your instructions?
I hope I don't have to use DMZ because it is a bit dodgy today! hi hi hi!!
73 de SV1UY
On Mon, Aug 5, 2013 at 6:40 PM, Marc, LX1DUC <lx1duc(a)rlx.lu> wrote:
Unless you are forwarding the decapsulated packets
from your DD-WRT towards
a host inside the NATted LAN, you don't need to bother about ports. Packets
from the AMPRnet Mesh use IPIP protocol(protocol number 94), so the Layer 4
is not necessarily visible to DD-WRT as these packets fill contain 2x Layer
3.
You will need to forward IPIP protocol packets from the DD-WRT to your
internal AMPRnet gateway.
On your AMPRnet gatway (not DD-WRT) you will eventually need to allow
packets towards port 520/udp in your iptables if you are using iptables on
your internal gateway.
Please also don't confuse opening a port and opening a port (yes! your
wording is weak... H-I)
You should make a difference between allowing a packet to be forwarded
(iptables table FORWARD) by a router and a packet to be received (iptables
table INPUT) by a host.
In case you are combining DNAT and FORWARDing on 1 machine (you usually do),
you may eventually need to apply
iptables -t NAT -A PREROUTING -p 94 -j DNAT --to 192.0.2.1
iptables -A FORWARD -p 94 -d 192.0.2.1 -j ACCEPT
in case you are not allowing packets to be forwarded by default or have
configured a rule to disallow unknown traffic.
On the AMPRnet Gateway (not your DD-WRT) you will eventually need to allow
IPIP inbound packets on eth0 and allow packets towards port 520/udp.
iptables -A INPUT -i eth0 -p 94 -j ACCEPT
iptables -A INPUT -i tunl9 -p udp --port 520 -j ACCEPT
YMMV depending on the linux flavor/blend.
73 de Marc, LX1DUC
--
73 de SV1UY
Demetre Ch. Valaris
IP Coordinator for AMPRnet in Greece
e-mail: demetre.sv1uy(a)gmail.com
Radio e-mail: sv1uy(a)winlink.org
(to use my radio e-mail put //WL2K in the beginning of the subject line)
http://www.qsl.net/sv1uy
12:17 p.m.
I run my Linux/jnos box in DMZ since day one..
Jerry Kutche
Electrical Supervisor
Lehigh Cement Company LLC
180 N. Meridian Road
Mitchell, IN 47446
Phone: (812) 849-2191 ext. 251
Fax: (812) 849-5007
Cell: (812) 583-0445
jkutche(a)lehighcement.com
www.lehighcement.com
This e-mail may contain confidential and/or legally privileged information. If you are
not the intended recipient (or have received this e-mail in error) please notify the
sender immediately and delete this e-mail. Any unauthorized copying, disclosure or
distribution of the material in this e-mail is strictly forbidden.
-----Original Message-----
From: 44net-bounces+jkutche=lehighcement.com(a)hamradio.ucsd.edu
[mailto:44net-bounces+jkutche=lehighcement.com@hamradio.ucsd.edu] On Behalf Of Demetre
SV1UY
Sent: Monday, August 05, 2013 12:12 PM
To: AMPRNet working group
Subject: Re: [44net] IP Protocol 4 in DD-WRT and rip44d script
(Please trim inclusions from previous messages)
_______________________________________________
Hi Marcus,
Thanks for reply. I will follow your instructions when I return home tonight.
Please let me know, is the DMZ thing necessary if I follow your instructions?
I hope I don't have to use DMZ because it is a bit dodgy today! hi hi hi!!
73 de SV1UY
On Mon, Aug 5, 2013 at 6:40 PM, Marc, LX1DUC <lx1duc(a)rlx.lu> wrote:
Unless you are forwarding the decapsulated packets
from your DD-WRT
towards a host inside the NATted LAN, you don't need to bother about
ports. Packets from the AMPRnet Mesh use IPIP protocol(protocol number
94), so the Layer 4 is not necessarily visible to DD-WRT as these
packets fill contain 2x Layer 3.
You will need to forward IPIP protocol packets from the DD-WRT to your
internal AMPRnet gateway.
On your AMPRnet gatway (not DD-WRT) you will eventually need to allow
packets towards port 520/udp in your iptables if you are using
iptables on your internal gateway.
Please also don't confuse opening a port and opening a port (yes! your
wording is weak... H-I)
You should make a difference between allowing a packet to be forwarded
(iptables table FORWARD) by a router and a packet to be received
(iptables table INPUT) by a host.
In case you are combining DNAT and FORWARDing on 1 machine (you
usually do), you may eventually need to apply
iptables -t NAT -A PREROUTING -p 94 -j DNAT --to 192.0.2.1 iptables -A
FORWARD -p 94 -d 192.0.2.1 -j ACCEPT
in case you are not allowing packets to be forwarded by default or
have configured a rule to disallow unknown traffic.
On the AMPRnet Gateway (not your DD-WRT) you will eventually need to
allow IPIP inbound packets on eth0 and allow packets towards port 520/udp.
iptables -A INPUT -i eth0 -p 94 -j ACCEPT iptables -A INPUT -i tunl9
-p udp --port 520 -j ACCEPT
YMMV depending on the linux flavor/blend.
73 de Marc, LX1DUC
--
73 de SV1UY
Demetre Ch. Valaris
IP Coordinator for AMPRnet in Greece
e-mail: demetre.sv1uy(a)gmail.com
Radio e-mail: sv1uy(a)winlink.org
(to use my radio e-mail put //WL2K in the beginning of the subject line)
https://urldefense.proofpoint.com/v1/url?u=http://www.qsl.net/sv1uy&k=%…
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
https://urldefense.proofpoint.com/v1/url?u=http://hamradio.ucsd.edu/mailman…
https://urldefense.proofpoint.com/v1/url?u=http://www.ampr.org/donate.html&…
12:53 p.m.
My bad, shouldn't have used `grep ipip /etc/protocols`
Thanks for correcting me Brian.
73 de Marc, LX1DUC
Quoting Brian Kantor <Brian(a)ucsd.edu>du>:
(Please trim inclusions from previous messages)
_______________________________________________
On Mon, Aug 05, 2013 at 03:40:36PM +0000, Marc, LX1DUC wrote:
Packets from the AMPRnet Mesh use IPIP
protocol(protocol
number 94),
Minor correction: the IP-IP we use is protocol 4
- Brian
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
http://www.ampr.org/donate.html 
13 Aug
13 Aug
11:02 p.m.
Minor correction: the IP-IP we use is protocol 4 -
Brian
Hey Brian,
Just to confirm, if protocol 4 is the only one in use, then the output
of N1URO's script needs to be updated a bit?
http://n1uro.ampr.org/cgi-bin/safe-config.cgi
--
# allow IPIP encapsulation to gate through...
iptables -I INPUT 1 -j ACCEPT --proto 4
iptables -I INPUT 1 -j ACCEPT --proto 94
iptables -I OUTPUT 1 -j ACCEPT --proto 4
iptables -I OUTPUT 1 -j ACCEPT --proto 94
iptables -I FORWARD 1 -j ACCEPT --proto 4
iptables -I FORWARD 1 -j ACCEPT --proto 94
# Create a policy to encap forward to your host...
ip rule add from 44/8 pref 1 table 1
# Now let's set the routing accordingly...
ip route add 44/8 via 69.12.138.16 dev tunl0 onlink src 44.4.10.40
ip route add default via 69.12.138.16 dev tunl0 onlink table 1
--
11:23 p.m.
On Tue, Aug 13, 2013 at 08:02:46PM -0700, David Ranch wrote:
Just to confirm, if protocol 4 is the only one in use,
then the
output of N1URO's script needs to be updated a bit?
Yes, that is correct, there is no need for iptables to pass proto 94.
Proto 94 is deprecated and no one should be using it for anything.
I don't think there's any harm in letting it through but strictly
speaking we probably shouldn't.
- Brian
17 Aug
17 Aug
11:46 a.m.
Aha!!
That's what I needed to get this going via my pFsense box. Protocol was
IPENCAP and not IPIP. Shouldda thought of that.
Thanks!
On Tue, Aug 13, 2013 at 11:23 PM, Brian Kantor <Brian(a)ucsd.edu> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On Tue, Aug 13, 2013 at 08:02:46PM -0700, David Ranch wrote:
Just to confirm, if protocol 4 is the only one in
use, then the
output of N1URO's script needs to be updated a bit?
Yes, that is correct, there is no need for iptables to pass proto 94.
Proto 94 is deprecated and no one should be using it for anything.
I don't think there's any harm in letting it through but strictly
speaking we probably shouldn't.
- Brian
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
http://www.ampr.org/donate.html
16 Aug
16 Aug
10:41 p.m.
On Tue, 2013-08-13 at 20:02 -0700, David Ranch wrote:
Just to confirm, if protocol 4 is the only one in use,
then the output
of N1URO's script needs to be updated a bit?
http://n1uro.ampr.org/cgi-bin/safe-config.cgi
--
# allow IPIP encapsulation to gate through...
iptables -I INPUT 1 -j ACCEPT --proto 4
iptables -I INPUT 1 -j ACCEPT --proto 94
iptables -I OUTPUT 1 -j ACCEPT --proto 4
iptables -I OUTPUT 1 -j ACCEPT --proto 94
iptables -I FORWARD 1 -j ACCEPT --proto 4
iptables -I FORWARD 1 -j ACCEPT --proto 94
# Create a policy to encap forward to your host...
ip rule add from 44/8 pref 1 table 1
# Now let's set the routing accordingly...
ip route add 44/8 via 69.12.138.16 dev tunl0 onlink src 44.4.10.40
ip route add default via 69.12.138.16 dev tunl0 onlink table 1
Protocol 4 is included, so what's the problem with it? Considering it's
a suggestion ONLY output which allows one to copy and paste with a
mouse, and it does not control a remote mouse. What the system
administrator picks and chooses from it is their responsibility.
--
73 de Brian Rogers - N1URO
email: <n1uro(a)n1uro.ampr.org>
Web: http://www.n1uro.net/
Ampr1: http://n1uro.ampr.org/
Ampr2: http://nos.n1uro.ampr.org
Linux Amateur Radio Services
axMail-Fax & URONode
AmprNet coordinator for:
Connecticut, Delaware, Maine,
Massachusetts, New Hampshire,
Pennsylvania, Rhode Island,
and Vermont.
17 Aug
17 Aug
10:45 a.m.
Hello Brian,
I had only asked for clarification as there is so much legacy
information out there. When I first got started with the AMPR stuff,
the protocol number for encapsulation really confused me. The answers
took me way back in to the history of Cisco IOS, etc. but I digress. I
think your web tool is very helpful but giving out old details (the
proto 94 lines) only confuses a new user.
--David
(Please trim inclusions from previous messages)
_______________________________________________
On Tue, 2013-08-13 at 20:02 -0700, David Ranch wrote:
Just to confirm, if protocol 4 is the only one in
use, then the output
of N1URO's script needs to be updated a bit?
http://n1uro.ampr.org/cgi-bin/safe-config.cgi
--
# allow IPIP encapsulation to gate through...
iptables -I INPUT 1 -j ACCEPT --proto 4
iptables -I INPUT 1 -j ACCEPT --proto 94
iptables -I OUTPUT 1 -j ACCEPT --proto 4
iptables -I OUTPUT 1 -j ACCEPT --proto 94
iptables -I FORWARD 1 -j ACCEPT --proto 4
iptables -I FORWARD 1 -j ACCEPT --proto 94
# Create a policy to encap forward to your host...
ip rule add from 44/8 pref 1 table 1
# Now let's set the routing accordingly...
ip route add 44/8 via 69.12.138.16 dev tunl0 onlink src 44.4.10.40
ip route add default via 69.12.138.16 dev tunl0 onlink table 1
Protocol 4 is
included, so what's the problem with it? Considering it's
a suggestion ONLY output which allows one to copy and paste with a
mouse, and it does not control a remote mouse. What the system
administrator picks and chooses from it is their responsibility.
20 Aug
20 Aug
9:52 a.m.
On Sat, 2013-08-17 at 07:45 -0700, David Ranch spake:
(the proto 94 lines) only confuses a new user.
While there was no true harm done in leaving proto 94 in, I removed it.
As long as proto 4 was included the config for a noob would have been
fine and would work.
--
73 de Brian Rogers - N1URO
email: <n1uro(a)n1uro.ampr.org>
Web: http://www.n1uro.net/
Ampr1: http://n1uro.ampr.org/
Ampr2: http://nos.n1uro.ampr.org
Linux Amateur Radio Services
axMail-Fax & URONode
AmprNet coordinator for:
Connecticut, Delaware, Maine,
Massachusetts, New Hampshire,
Pennsylvania, Rhode Island,
and Vermont.
5 Aug
5 Aug
5:28 a.m.
Demetre,
Myself I have TL-MR3420 with original firmware.
My Raspberry PI works just fine set into DMZ zone
with port 520 and all other necessary ports opened.
I do not have (no troubles so far!) any iptables running, Hi.
Best regards.
Tom - sp2lob
5:31 a.m.
Do you use rip44d Tom?
73 de SV1UY
On Mon, Aug 5, 2013 at 12:28 PM, <sp2lob(a)tlen.pl> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Demetre,
Myself I have TL-MR3420 with original firmware.
My Raspberry PI works just fine set into DMZ zone
with port 520 and all other necessary ports opened.
I do not have (no troubles so far!) any iptables running, Hi.
Best regards.
Tom - sp2lob
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
http://www.ampr.org/donate.html
--
73 de SV1UY
Demetre Ch. Valaris
IP Coordinator for AMPRnet in Greece
e-mail: demetre.sv1uy(a)gmail.com
Radio e-mail: sv1uy(a)winlink.org
(to use my radio e-mail put //WL2K in the beginning of the subject line)
http://www.qsl.net/sv1uy
5:38 a.m.
Demetre,
Yes, I used rip44d for couple of weeks - works PERFECTLY!
Recently I switched to ampr-ripd by YO2LOJ, wchich is also
very good piece of software and works simlpy - VERY NICE!
If I'm not mistaken, only 520/ UDP is needed.
Best regards.
Tom - sp2lob
5:47 a.m.
OK Tom and group,
What I really would like to do is:
Find out if DMZ is really necessary or if portforwading can also work
in a DD-WRT router, provided I open IP Protocol 4 in the router.
Really I do not like to use DMZ (OK my GATEWAY works with DMZ alone
here) but then I need to write an extensive iptables script in my
LINUX BOX in order to secure it?
Has anyone written such an IPTABLES SCRIPT for their LINUX AMPRnet
GATEWAY? If yes would you care to share it please?
--
73 de SV1UY
Demetre Ch. Valaris
IP Coordinator for AMPRnet in Greece
e-mail: demetre.sv1uy(a)gmail.com
Radio e-mail: sv1uy(a)winlink.org
(to use my radio e-mail put //WL2K in the beginning of the subject line)
http://www.qsl.net/sv1uy
5:58 a.m.
Demetre,
Somewhere I have such a script, will look for it.
The only thing I did, I changed content of the file robots.txt
in my apache2 server to look like:
#
User-agent: *
Disallow: /
#
(Just to get rid og Googlebot robots...)
But if you do not have www server, you do not need this.
Best regards.
Tom - sp2lob
4111
days inactive
4126
days old
21 comments
8 participants
participants (8)
-
Brian Kantor -
Brian Rogers -
David Ranch -
Demetre SV1UY -
Kutche, Jerry (Mitchell) USA -
Marc, LX1DUC -
Mark Phillips -
sp2lob@tlen.pl