25 Jan
2022
25 Jan
'22
7:35 p.m.
All,
I thought on some security matters of AMPRNet; and one that could not be mitigated easily
was:
* even if you firewall IPENCAP, how to block others except AMPRGW from sending routes to
port 520/udp
Someone mentioned previously they saw a MAC that was a hash that contained the outer SRC
IP; but after years, I cannot find an OS Kernel that produces it.
I believe have a solution, it required some hexadecimal calculations (see:
http://www.stearns.org/doc/iptables-u32.current.html). Using the u32 iptables module for
those who can (and a compatible module on on other systems), we need to merely find in the
bit/byte positions in the packet:
Outer Header:
* the IP of AMPRGW (0xa9e42254)* Protocol type IPENCAP (IP Protocol No. 4) (0x04)
Inner Header (add 20 bytes to the offset of the first header):
* SRC IP 44.0.0.1 (0x2c000001)
* Protocol UDP (0x06)* UDP - port 520 (0x0208)
I believe this should read as an iptables rule like:
iptables <foo> -m u32 --u32 "12&0xFFFFFFFF=0xA9E42254 &&
6&0xFF=0x04 && 32&0xFFFFFFFF=0x2c000001 && 26&0xFF=0x06
&& 212&FFFF=0x0208" -j ACCEPT
My question: has anyone already calculated these positions and values or tested before?
I didn't want to have to "reinvent the wheel"...but you can just check my
math now before attempting to implement.
73,
Lynwood
KB3VWG
Member W3PGC/K3ERA - APRS Coordinator / Co-SkyWarn Coordinator
26 Jan
26 Jan
12:58 a.m.
Isn't it easier to use 2 accept rules?
- First, accept IPIP on outer interface - this will allow the tunnel
interface to work (whatever rule you want to apply)
iptables -A INPUT -i eth0 -p ipencap (...) -j ACCEPT
- and next, set a set only for RIP on the tunnel itself, since they will
come in via the tunnel interface, to accept only RIP from amprgw:
iptables -A INPUT -i tunl0 -p udp -s 44.0.0.1 --sport 520 --dport 520 -j
ACCEPT
- and drop all other RIP from anywhere else
iptables -A INPUT -p udp -s 44.0.0.1 --dport 520 -j DROP
Marius, YO2LOJ
On 26/01/2022 03:35, lleachii--- via 44Net wrote:
All,
I thought on some security matters of AMPRNet; and one that could not be mitigated easily
was:
* even if you firewall IPENCAP, how to block others except AMPRGW from sending routes to
port 520/udp
Someone mentioned previously they saw a MAC that was a hash that contained the outer SRC
IP; but after years, I cannot find an OS Kernel that produces it.
I believe have a solution, it required some hexadecimal calculations (see:
http://www.stearns.org/doc/iptables-u32.current.html). Using the u32 iptables module for
those who can (and a compatible module on on other systems), we need to merely find in the
bit/byte positions in the packet:
Outer Header:
* the IP of AMPRGW (0xa9e42254)* Protocol type IPENCAP (IP Protocol No. 4) (0x04)
Inner Header (add 20 bytes to the offset of the first header):
* SRC IP 44.0.0.1 (0x2c000001)
* Protocol UDP (0x06)* UDP - port 520 (0x0208)
I believe this should read as an iptables rule like:
iptables <foo> -m u32 --u32 "12&0xFFFFFFFF=0xA9E42254 &&
6&0xFF=0x04 && 32&0xFFFFFFFF=0x2c000001 && 26&0xFF=0x06
&& 212&FFFF=0x0208" -j ACCEPT
My question: has anyone already calculated these positions and values or tested before?
I didn't want to have to "reinvent the wheel"...but you can just check my
math now before attempting to implement.
73,
Lynwood
KB3VWG
Member W3PGC/K3ERA - APRS Coordinator / Co-SkyWarn Coordinator
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
1033
days inactive
1033
days old
2 comments
2 participants
participants (2)
-
lleachii@aol.com -
Marius Petrescu