Hi all,
Is anyone using a DD-WRT router (I use a TL-WR1043ND with DD-WRT) for his/her AMPRnet GATEWAY 44.154.0.1?
I have the following problem here. I have included support in my DD-WRT Router's IPTABLES for IPIP (IP Protocol 4) with the command "iptables -t nat -A PREROUTING -p 4 -j DNAT --to 192.168.250.66" in it's Firewall, but this does not seem to work. I wonder if I need to also port forward UDP port 520 to the same IP, but I don't think so because I think rip44d uses UDP port 520 for outgoing packets only.
When I put my GATEWAY's ethernet IP (192.168.250.66) in DMZ then rip44d works fine, but then my AMPRnet GATEWAY is really exposed and I need to write an extensive IPTABLES SCRIPT.
Is there a way for rip44d to work behind NAT?
Is my "iptables -t nat -A PREROUTING -p 4 -j DNAT --to 192.168.250.66" command enough for my DD-WRT or am I wrong?
Could anyone help please?
73 de Demetre SV1UY IP coordinator for AMPRnet in Greece e-mail demetre.sv1uy@gmail.com
Hello Demetre,
First, you need to open port 520. Then try to put your local machine into DMZ zone, as it HAS TO BE SEEN by amprgw server...
I did it, and it worked for me.
Best regards. Tom - sp2lob
Hi Tom,
Thanks for quick reply. I have opened UDP port 520 in NAT to point to my GATEWAY's ethernet port, but is this necessary when I have already put my GATEWAY's ethernet port IP to DMZ?
Also do I need to open port 520 UDP, TCP or both?
Any ideas please?
73 de SV1UY
On Mon, Aug 5, 2013 at 12:21 PM, sp2lob@tlen.pl wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hello Demetre,
First, you need to open port 520. Then try to put your local machine into DMZ zone, as it HAS TO BE SEEN by amprgw server...
I did it, and it worked for me.
Best regards. Tom - sp2lob
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net http://www.ampr.org/donate.html
Demetre,
Yes, Raspberry PI is in DMZ zone. In addition, port 520 is opened as well, both TCP/UDP - just in case, Hi!
Best regards. Tom - sp2lob
And what about firewalling your Rpi. When it is on DMZ it is exposed!
73 SV1UY
On Mon, Aug 5, 2013 at 12:34 PM, sp2lob@tlen.pl wrote:
(Please trim inclusions from previous messages) _______________________________________________ Demetre,
Yes, Raspberry PI is in DMZ zone. In addition, port 520 is opened as well, both TCP/UDP - just in case, Hi!
Best regards. Tom - sp2lob
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net http://www.ampr.org/donate.html
Demetre,
Well, you're right... I have ONLY couple of necessary ports opened in TL-MR3420. Therefore I decided not to use any firewalling. No troubles so far... Just in case, I have full backup of Raspi system.
Best regards. Tom - sp2lob
Unless you are forwarding the decapsulated packets from your DD-WRT towards a host inside the NATted LAN, you don't need to bother about ports. Packets from the AMPRnet Mesh use IPIP protocol(protocol number 94), so the Layer 4 is not necessarily visible to DD-WRT as these packets fill contain 2x Layer 3.
You will need to forward IPIP protocol packets from the DD-WRT to your internal AMPRnet gateway.
On your AMPRnet gatway (not DD-WRT) you will eventually need to allow packets towards port 520/udp in your iptables if you are using iptables on your internal gateway.
Please also don't confuse opening a port and opening a port (yes! your wording is weak... H-I)
You should make a difference between allowing a packet to be forwarded (iptables table FORWARD) by a router and a packet to be received (iptables table INPUT) by a host.
In case you are combining DNAT and FORWARDing on 1 machine (you usually do), you may eventually need to apply
iptables -t NAT -A PREROUTING -p 94 -j DNAT --to 192.0.2.1 iptables -A FORWARD -p 94 -d 192.0.2.1 -j ACCEPT
in case you are not allowing packets to be forwarded by default or have configured a rule to disallow unknown traffic.
On the AMPRnet Gateway (not your DD-WRT) you will eventually need to allow IPIP inbound packets on eth0 and allow packets towards port 520/udp.
iptables -A INPUT -i eth0 -p 94 -j ACCEPT iptables -A INPUT -i tunl9 -p udp --port 520 -j ACCEPT
YMMV depending on the linux flavor/blend.
73 de Marc, LX1DUC
Quoting sp2lob@tlen.pl:
(Please trim inclusions from previous messages) _______________________________________________ Hello Demetre,
First, you need to open port 520. Then try to put your local machine into DMZ zone, as it HAS TO BE SEEN by amprgw server...
I did it, and it worked for me.
Best regards. Tom - sp2lob
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net http://www.ampr.org/donate.html
Hi Marcus,
Thanks for reply. I will follow your instructions when I return home tonight. Please let me know, is the DMZ thing necessary if I follow your instructions? I hope I don't have to use DMZ because it is a bit dodgy today! hi hi hi!!
73 de SV1UY
On Mon, Aug 5, 2013 at 6:40 PM, Marc, LX1DUC lx1duc@rlx.lu wrote:
Unless you are forwarding the decapsulated packets from your DD-WRT towards a host inside the NATted LAN, you don't need to bother about ports. Packets from the AMPRnet Mesh use IPIP protocol(protocol number 94), so the Layer 4 is not necessarily visible to DD-WRT as these packets fill contain 2x Layer 3.
You will need to forward IPIP protocol packets from the DD-WRT to your internal AMPRnet gateway.
On your AMPRnet gatway (not DD-WRT) you will eventually need to allow packets towards port 520/udp in your iptables if you are using iptables on your internal gateway.
Please also don't confuse opening a port and opening a port (yes! your wording is weak... H-I)
You should make a difference between allowing a packet to be forwarded (iptables table FORWARD) by a router and a packet to be received (iptables table INPUT) by a host.
In case you are combining DNAT and FORWARDing on 1 machine (you usually do), you may eventually need to apply
iptables -t NAT -A PREROUTING -p 94 -j DNAT --to 192.0.2.1 iptables -A FORWARD -p 94 -d 192.0.2.1 -j ACCEPT
in case you are not allowing packets to be forwarded by default or have configured a rule to disallow unknown traffic.
On the AMPRnet Gateway (not your DD-WRT) you will eventually need to allow IPIP inbound packets on eth0 and allow packets towards port 520/udp.
iptables -A INPUT -i eth0 -p 94 -j ACCEPT iptables -A INPUT -i tunl9 -p udp --port 520 -j ACCEPT
YMMV depending on the linux flavor/blend.
73 de Marc, LX1DUC
I run my Linux/jnos box in DMZ since day one..
Jerry Kutche Electrical Supervisor
Lehigh Cement Company LLC 180 N. Meridian Road Mitchell, IN 47446 Phone: (812) 849-2191 ext. 251 Fax: (812) 849-5007 Cell: (812) 583-0445 jkutche@lehighcement.com www.lehighcement.com This e-mail may contain confidential and/or legally privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
-----Original Message----- From: 44net-bounces+jkutche=lehighcement.com@hamradio.ucsd.edu [mailto:44net-bounces+jkutche=lehighcement.com@hamradio.ucsd.edu] On Behalf Of Demetre SV1UY Sent: Monday, August 05, 2013 12:12 PM To: AMPRNet working group Subject: Re: [44net] IP Protocol 4 in DD-WRT and rip44d script
(Please trim inclusions from previous messages) _______________________________________________ Hi Marcus,
Thanks for reply. I will follow your instructions when I return home tonight. Please let me know, is the DMZ thing necessary if I follow your instructions? I hope I don't have to use DMZ because it is a bit dodgy today! hi hi hi!!
73 de SV1UY
On Mon, Aug 5, 2013 at 6:40 PM, Marc, LX1DUC lx1duc@rlx.lu wrote:
Unless you are forwarding the decapsulated packets from your DD-WRT towards a host inside the NATted LAN, you don't need to bother about ports. Packets from the AMPRnet Mesh use IPIP protocol(protocol number 94), so the Layer 4 is not necessarily visible to DD-WRT as these packets fill contain 2x Layer 3.
You will need to forward IPIP protocol packets from the DD-WRT to your internal AMPRnet gateway.
On your AMPRnet gatway (not DD-WRT) you will eventually need to allow packets towards port 520/udp in your iptables if you are using iptables on your internal gateway.
Please also don't confuse opening a port and opening a port (yes! your wording is weak... H-I)
You should make a difference between allowing a packet to be forwarded (iptables table FORWARD) by a router and a packet to be received (iptables table INPUT) by a host.
In case you are combining DNAT and FORWARDing on 1 machine (you usually do), you may eventually need to apply
iptables -t NAT -A PREROUTING -p 94 -j DNAT --to 192.0.2.1 iptables -A FORWARD -p 94 -d 192.0.2.1 -j ACCEPT
in case you are not allowing packets to be forwarded by default or have configured a rule to disallow unknown traffic.
On the AMPRnet Gateway (not your DD-WRT) you will eventually need to allow IPIP inbound packets on eth0 and allow packets towards port 520/udp.
iptables -A INPUT -i eth0 -p 94 -j ACCEPT iptables -A INPUT -i tunl9 -p udp --port 520 -j ACCEPT
YMMV depending on the linux flavor/blend.
73 de Marc, LX1DUC
-- 73 de SV1UY Demetre Ch. Valaris IP Coordinator for AMPRnet in Greece e-mail: demetre.sv1uy@gmail.com Radio e-mail: sv1uy@winlink.org (to use my radio e-mail put //WL2K in the beginning of the subject line) https://urldefense.proofpoint.com/v1/url?u=http://www.qsl.net/sv1uy&k=%2... _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu https://urldefense.proofpoint.com/v1/url?u=http://hamradio.ucsd.edu/mailman/... https://urldefense.proofpoint.com/v1/url?u=http://www.ampr.org/donate.html&a...
My bad, shouldn't have used `grep ipip /etc/protocols`
Thanks for correcting me Brian.
73 de Marc, LX1DUC
Quoting Brian Kantor Brian@ucsd.edu:
(Please trim inclusions from previous messages) _______________________________________________ On Mon, Aug 05, 2013 at 03:40:36PM +0000, Marc, LX1DUC wrote:
Packets from the AMPRnet Mesh use IPIP protocol(protocol number 94),
Minor correction: the IP-IP we use is protocol 4
- Brian
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net http://www.ampr.org/donate.html
Minor correction: the IP-IP we use is protocol 4 - Brian
Hey Brian,
Just to confirm, if protocol 4 is the only one in use, then the output of N1URO's script needs to be updated a bit?
http://n1uro.ampr.org/cgi-bin/safe-config.cgi -- # allow IPIP encapsulation to gate through... iptables -I INPUT 1 -j ACCEPT --proto 4 iptables -I INPUT 1 -j ACCEPT --proto 94 iptables -I OUTPUT 1 -j ACCEPT --proto 4 iptables -I OUTPUT 1 -j ACCEPT --proto 94 iptables -I FORWARD 1 -j ACCEPT --proto 4 iptables -I FORWARD 1 -j ACCEPT --proto 94 # Create a policy to encap forward to your host... ip rule add from 44/8 pref 1 table 1 # Now let's set the routing accordingly... ip route add 44/8 via 69.12.138.16 dev tunl0 onlink src 44.4.10.40 ip route add default via 69.12.138.16 dev tunl0 onlink table 1 --
On Tue, Aug 13, 2013 at 08:02:46PM -0700, David Ranch wrote:
Just to confirm, if protocol 4 is the only one in use, then the output of N1URO's script needs to be updated a bit?
Yes, that is correct, there is no need for iptables to pass proto 94. Proto 94 is deprecated and no one should be using it for anything. I don't think there's any harm in letting it through but strictly speaking we probably shouldn't. - Brian
Aha!!
That's what I needed to get this going via my pFsense box. Protocol was IPENCAP and not IPIP. Shouldda thought of that.
Thanks!
On Tue, Aug 13, 2013 at 11:23 PM, Brian Kantor Brian@ucsd.edu wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Tue, Aug 13, 2013 at 08:02:46PM -0700, David Ranch wrote:
Just to confirm, if protocol 4 is the only one in use, then the output of N1URO's script needs to be updated a bit?
Yes, that is correct, there is no need for iptables to pass proto 94. Proto 94 is deprecated and no one should be using it for anything. I don't think there's any harm in letting it through but strictly speaking we probably shouldn't. - Brian _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net http://www.ampr.org/donate.html
On Tue, 2013-08-13 at 20:02 -0700, David Ranch wrote:
Just to confirm, if protocol 4 is the only one in use, then the output of N1URO's script needs to be updated a bit?
http://n1uro.ampr.org/cgi-bin/safe-config.cgi
# allow IPIP encapsulation to gate through... iptables -I INPUT 1 -j ACCEPT --proto 4 iptables -I INPUT 1 -j ACCEPT --proto 94 iptables -I OUTPUT 1 -j ACCEPT --proto 4 iptables -I OUTPUT 1 -j ACCEPT --proto 94 iptables -I FORWARD 1 -j ACCEPT --proto 4 iptables -I FORWARD 1 -j ACCEPT --proto 94 # Create a policy to encap forward to your host... ip rule add from 44/8 pref 1 table 1 # Now let's set the routing accordingly... ip route add 44/8 via 69.12.138.16 dev tunl0 onlink src 44.4.10.40 ip route add default via 69.12.138.16 dev tunl0 onlink table 1
Protocol 4 is included, so what's the problem with it? Considering it's a suggestion ONLY output which allows one to copy and paste with a mouse, and it does not control a remote mouse. What the system administrator picks and chooses from it is their responsibility.
Hello Brian,
I had only asked for clarification as there is so much legacy information out there. When I first got started with the AMPR stuff, the protocol number for encapsulation really confused me. The answers took me way back in to the history of Cisco IOS, etc. but I digress. I think your web tool is very helpful but giving out old details (the proto 94 lines) only confuses a new user.
--David
(Please trim inclusions from previous messages) _______________________________________________ On Tue, 2013-08-13 at 20:02 -0700, David Ranch wrote:
Just to confirm, if protocol 4 is the only one in use, then the output of N1URO's script needs to be updated a bit?
http://n1uro.ampr.org/cgi-bin/safe-config.cgi
# allow IPIP encapsulation to gate through... iptables -I INPUT 1 -j ACCEPT --proto 4 iptables -I INPUT 1 -j ACCEPT --proto 94 iptables -I OUTPUT 1 -j ACCEPT --proto 4 iptables -I OUTPUT 1 -j ACCEPT --proto 94 iptables -I FORWARD 1 -j ACCEPT --proto 4 iptables -I FORWARD 1 -j ACCEPT --proto 94 # Create a policy to encap forward to your host... ip rule add from 44/8 pref 1 table 1 # Now let's set the routing accordingly... ip route add 44/8 via 69.12.138.16 dev tunl0 onlink src 44.4.10.40 ip route add default via 69.12.138.16 dev tunl0 onlink table 1
Protocol 4 is included, so what's the problem with it? Considering it's a suggestion ONLY output which allows one to copy and paste with a mouse, and it does not control a remote mouse. What the system administrator picks and chooses from it is their responsibility.
On Sat, 2013-08-17 at 07:45 -0700, David Ranch spake:
(the proto 94 lines) only confuses a new user.
While there was no true harm done in leaving proto 94 in, I removed it. As long as proto 4 was included the config for a noob would have been fine and would work.
Demetre,
Myself I have TL-MR3420 with original firmware. My Raspberry PI works just fine set into DMZ zone with port 520 and all other necessary ports opened. I do not have (no troubles so far!) any iptables running, Hi.
Best regards. Tom - sp2lob
Do you use rip44d Tom?
73 de SV1UY
On Mon, Aug 5, 2013 at 12:28 PM, sp2lob@tlen.pl wrote:
(Please trim inclusions from previous messages) _______________________________________________ Demetre,
Myself I have TL-MR3420 with original firmware. My Raspberry PI works just fine set into DMZ zone with port 520 and all other necessary ports opened. I do not have (no troubles so far!) any iptables running, Hi.
Best regards. Tom - sp2lob
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net http://www.ampr.org/donate.html
Demetre,
Yes, I used rip44d for couple of weeks - works PERFECTLY! Recently I switched to ampr-ripd by YO2LOJ, wchich is also very good piece of software and works simlpy - VERY NICE!
If I'm not mistaken, only 520/ UDP is needed.
Best regards. Tom - sp2lob
OK Tom and group,
What I really would like to do is:
Find out if DMZ is really necessary or if portforwading can also work in a DD-WRT router, provided I open IP Protocol 4 in the router.
Really I do not like to use DMZ (OK my GATEWAY works with DMZ alone here) but then I need to write an extensive iptables script in my LINUX BOX in order to secure it?
Has anyone written such an IPTABLES SCRIPT for their LINUX AMPRnet GATEWAY? If yes would you care to share it please?
Demetre,
Somewhere I have such a script, will look for it. The only thing I did, I changed content of the file robots.txt in my apache2 server to look like:
# User-agent: * Disallow: / #
(Just to get rid og Googlebot robots...)
But if you do not have www server, you do not need this.
Best regards. Tom - sp2lob
-
Brian Kantor -
Brian Rogers -
David Ranch -
Demetre SV1UY -
Kutche, Jerry (Mitchell) USA -
Marc, LX1DUC -
Mark Phillips -
sp2lob@tlen.pl