After fighting with my system off and on for months I'm finally on AMPRNET but I'm not sure If I'm on the mesh yet. I can get to google and it looks like anywhere on the Internet and can get to my cox email using the thunderbird email client from my workstation.
I think I had problems in the past because I had a pre-existing strong iptables firewall and I tried to adapt the Linux configuration on the wiki to the existing strong firewall. Yesterday I decided to start from scratch and build using the Linux gateway instructions on the wiki. I had it working but it seems it failed after I restarted the gateway, I had no connectivity from my gateway to any of my local systems after the reboot. Today I rebuilt from scratch again and it seems to be working except it seems I can't get to anything in the 44/8 network except my own IP block.
I've installed the latest ampr_ripd available as of today but need to know how to tell if it's adding routes into the routing table.
My current setup is a Linux router, three Raspberry Pi and a Linux Desktop that serves as my workstation (Yesterday it was a headless Raspberry Pi).
Tests I've done: 1. A query on Google for "What's my IP address". I got back 44.98.63.3 (my workstation) proving I'm going through the AMPR gateway. When I attempt to connect to some of the services linked from the wiki such as http://n1uro.ampr.org/do.shtml and http://whatismyip.ampr.org I don't get responses back. So my first question is how do I test to see if I have mesh routing up to the rest of the 44Net?
2. I need to learn how to set up iptables to only accept ipencap packets from AMPR gateways. I suspect it requires using ipset which I've used in the past for dropping traffic from systems trying to crack into my router which leads me to my second question. Is there anyone out there willing to show sample code how to allow ipencap traffic only from AMPR gateways?
3. Last night before I restarted and lost ability to use my workstation (remotely, I have not figured out why it failed yet) I was able to log on to my VPS at Linode from my ISP provided space and then SSH into my workstation on my 44/8 address through the tunnel... At the time the workstation was the headless Raspberry Pi, this worked perfectly. I also notice my google traffic uses HTTPS and my email client is using port 465 and 993... all of these are encrypted. My third question: I know they aren't allowed over the air, so how do we account for/deal with software that insists on using encrypted protocols? Is SSH allowed for remotely maintaining our nodes?
4. A couple of weeks ago, I ordered and received the parts to build a Stratum 1 Time server that I intend to make publicly available to the 44Net as a service to the 44Net community. Once I get it online and the security in place to prevent nefarious activity, How do I announce it?
I intend to have a web server, a time server, a DNS server and an NNTP server online as well as a local packet node and a tunnel to the AREDN and possibly a link to the HAMWAN out of Tampa if they'll allow me to link to them. I'm open to suggestions on proper operating procedure.
Tom, KI4SZJ,
You covered a bunch of inquires:
1.) I run http://whatismyip.ampr.org - If you're not receiving it, it's highly likely you don't have my route properly loaded, installed and configured for use. The best way to check to see if you have routing up is to look at the route table where you have ampr-ripd placing our routes. Also, try browsing to it from the regular Internet and do a trace to your 44 IP. Here's a command to see if there's a route for me:
example@routerexmaple:# ip route get 44.60.44.10 from <YOUR ROUTER IP>
Also be sure you DIDN'T assign a remote IP to your tunl0, in that case, you only have a tunnel to the Internet Gateway for AMPR (AMPRGW).
2.) Check the firewall Wiki, there's a lot of goodies there
3.) Are you delivering any portion of your connections over a Part 97 link (not just Wi-Fi)??? If not, your inquiry doesn't really come into play. In addition, a communication (SSH) could be allowed (for example) to control a router further downstream that goes over a radio link. I plan to account by blocking those protocols where they aren't to control a router or access point...although, you may want to see my writings in some HSMM-Mesh discussion on the 'Interents' - as I propose the "meaning" of the packets never become "obscured"...but that's a whole 'nother story... About the reboot - make sure you didn't clear a manual route you entered after rebooting, you have to configure everything to be persistent upon reboot.
4.) I surmise your time comes from CDMA or GPS...I also host NTP, DNS and a HTTP server, welcome aboard! Simply assign IPs from your allocation to these devices. Make sure there's a DNS entry through your regional coordinator.
73,
- Lynwood KB3VWG
Hi,
I just set this up which you might find useful:
https://u4477715.ct.sendgrid.net/wf/click?upn=Ki4chJONuNfM0VomxEE-2BoZH6yGOE...
It hasn't been extensively tested yet so if you can speak to other hosts but not my test server it's probably my end, however it might tell you something that points you in the right direction.
Thanks, Mike, M6XCV
On 8 May 2017 at 01:07, Tom Cardinal ki4szj@gmail.com wrote:
(Please trim inclusions from previous messages) _______________________________________________ After fighting with my system off and on for months I'm finally on AMPRNET but I'm not sure If I'm on the mesh yet. I can get to google and it looks like anywhere on the Internet and can get to my cox email using the thunderbird email client from my workstation.
I think I had problems in the past because I had a pre-existing strong iptables firewall and I tried to adapt the Linux configuration on the wiki to the existing strong firewall. Yesterday I decided to start from scratch and build using the Linux gateway instructions on the wiki. I had it working but it seems it failed after I restarted the gateway, I had no connectivity from my gateway to any of my local systems after the reboot. Today I rebuilt from scratch again and it seems to be working except it seems I can't get to anything in the 44/8 network except my own IP block.
I've installed the latest ampr_ripd available as of today but need to know how to tell if it's adding routes into the routing table.
My current setup is a Linux router, three Raspberry Pi and a Linux Desktop that serves as my workstation (Yesterday it was a headless Raspberry Pi).
Tests I've done:
- A query on Google for "What's my IP address". I got back 44.98.63.3 (my
workstation) proving I'm going through the AMPR gateway. When I attempt to connect to some of the services linked from the wiki such as https://u4477715.ct.sendgrid.net/wf/click?upn=ZiTkFo6Q8gi-2B-2FtCxNB4PAqv5Z0... and https://u4477715.ct.sendgrid.net/wf/click?upn=L7qqYgwPvTwMbUijAihV1joigbbl6x... I don't get responses back. So my first question is how do I test to see if I have mesh routing up to the rest of the 44Net?
- I need to learn how to set up iptables to only accept ipencap packets
from AMPR gateways. I suspect it requires using ipset which I've used in the past for dropping traffic from systems trying to crack into my router which leads me to my second question. Is there anyone out there willing to show sample code how to allow ipencap traffic only from AMPR gateways?
- Last night before I restarted and lost ability to use my workstation
(remotely, I have not figured out why it failed yet) I was able to log on to my VPS at Linode from my ISP provided space and then SSH into my workstation on my 44/8 address through the tunnel... At the time the workstation was the headless Raspberry Pi, this worked perfectly. I also notice my google traffic uses HTTPS and my email client is using port 465 and 993... all of these are encrypted. My third question: I know they aren't allowed over the air, so how do we account for/deal with software that insists on using encrypted protocols? Is SSH allowed for remotely maintaining our nodes?
- A couple of weeks ago, I ordered and received the parts to build a
Stratum 1 Time server that I intend to make publicly available to the 44Net as a service to the 44Net community. Once I get it online and the security in place to prevent nefarious activity, How do I announce it?
I intend to have a web server, a time server, a DNS server and an NNTP server online as well as a local packet node and a tunnel to the AREDN and possibly a link to the HAMWAN out of Tampa if they'll allow me to link to them. I'm open to suggestions on proper operating procedure.
-- Tom Cardinal/MSgt USAF (Ret)/BSCS/CASP, Security+ ce _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu https://u4477715.ct.sendgrid.net/wf/click?upn=vS4GjSiF-2F5vYmfX5tr6ez81-2Fej...
-
lleachii@aol.com -
M6XCV (Mike) -
Tom Cardinal