44Net Wiki - User contributions [en]

Services

2024-04-24T15:22:32Z

Kb3vwg: remove N1URO SK N1URO N1URO

{| class="wikitable sortable"
|-
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information
|-
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE
|-
| AMPR ||Website || https://www.ampr.org || HTTPS || AMPRNet Main Page|| NONE
|-
| AMPR ||Wiki || https://wiki.ampr.org || HTTPS || This Wiki|| NONE
|-
| AMPR ||44Net discussion group || https://ardc.groups.io/g/44net || HTTPS || AMPR discussion group|| NONE
|-
| AMPR ||ARDC announcements || https://ardc.groups.io/g/main || HTTPS || ARDC announcements|| NONE
|-
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.34.84 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).
|-
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway
|-
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]
|-
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||
(These hosts are authoritative for AMPR.ORG and the 44.IN-ADDR.ARPA DNS Zones:)
 
gw.ampr.org 
ns.ampr.org 
a.gw4.uk 
ns2.us.ardc.net 
ns1.de.ardc.net 
(These hosts maintain a copy of AMPR.ORG and the '[0-191].44.in-addr.arpa' DNS Zones. 44.0/9 thru 44.128/10 hosts may use as recursive/Client DNS servers:) 
dns-mdc.ampr.org (44.60.44.3 - also copy of HAMWAN.ORG) 
|| DNS || name resolution services|| zone files can be downloaded from ftp://gw.ampr.org/pub/
|-
| Various Operators||Network Tools||
http://whatismyip.ampr.org 
http://yo2tm.ampr.org/nettools.php 
http://kb3vwg-010.ampr.org/tools 
http://speedtest.ampr.org 
http://n1uro.ampr.org/do.shtml 
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE
|-
| Various Operators ||Network Time Protocol Server || gw.ampr.org (Stratum 1, US) ntp.vk2hff.ampr.org (Stratum 1, AU) ntp.g1fef.ampr.org (Stratum 1, UK) kb3vwg-001.ampr.org (Stratum 2, US) gw-44-137.pi9noz.ampr.org (Stratum 2) server.yo2loj.ampr.org (Stratum 2) f4gve.ampr.org (Stratum 3) ntp1.on3rvh.ampr.org || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican|| AMPRNet hosts have OPEN ACCESS to these time servers
|-
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/wiki/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.
|-
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.
|-
| [http://allstarlink.org AllStar Link] || AllStar || http://allstarlink.org || Linking of repeaters || AllStar Link core network services are provided via redundant datacenters using 44net IP space. || [https://wiki.allstarlink.org/wiki/Main_Page ASL wiki]
|-
| N2NOV and G1FEF || Hub_NA and Hub_EU for WWconvers Chat System || 44.68.41.2:3600 44.1.1.25:3600 || Telnet || Only connections from other 44Net addresses allowed using port 3600. Stations like JNOS with a built-in local chat server can link to it. Individuals without a local chat portal can use an IRC client to a public IP address that must be arranged with the owner. || None
|-
| N2NOV || AMPRNet NE US Regional Portal || http://n2nov.ampr.org/hamgate.html || HTTP || AMPRNet NE US Regional Portal || None
|-
| [https://flscg.org/ FSG]|| HamWAN Remote || https://flscg.org/2022/04/hamwan-remote/ || VPN/BGP || We provide a VPN based remote site connection to [https://flscg.org/hamwan/ HamWAN Tampa] and can announce your IP space. Performance of over 1gbit/s is possible and we provide an local connection point for amateurs in the South East || https://wiki.w9cr.net/index.php/HamWAN_Remote_Site
|-
| [https://hamwan.org HamWAN]||[https://hamwan.org/Labs/Open%20Peering%20Policy.html OPP Website]||Open Peering ||BGP feed||We provide IPsec VPN w/ BGP peering + Internet announcing.||
|-}

Services

2024-04-24T15:20:39Z

Kb3vwg:

{| class="wikitable sortable"
|-
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information
|-
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE
|-
| AMPR ||Website || https://www.ampr.org || HTTPS || AMPRNet Main Page|| NONE
|-
| AMPR ||Wiki || https://wiki.ampr.org || HTTPS || This Wiki|| NONE
|-
| AMPR ||44Net discussion group || https://ardc.groups.io/g/44net || HTTPS || AMPR discussion group|| NONE
|-
| AMPR ||ARDC announcements || https://ardc.groups.io/g/main || HTTPS || ARDC announcements|| NONE
|-
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.34.84 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).
|-
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway
|-
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]
|-
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||
(These hosts are authoritative for AMPR.ORG and the 44.IN-ADDR.ARPA DNS Zones:)
 
gw.ampr.org 
ns.ampr.org 
a.gw4.uk 
ns2.us.ardc.net 
ns1.de.ardc.net 
(These hosts maintain a copy of AMPR.ORG and the '[0-191].44.in-addr.arpa' DNS Zones. 44.0/9 thru 44.128/10 hosts may use as recursive/Client DNS servers:) 
dns-mdc.ampr.org (44.60.44.3) 
|| DNS || name resolution services|| zone files can be downloaded from ftp://gw.ampr.org/pub/
|-
| Various Operators||Network Tools||
http://whatismyip.ampr.org 
http://yo2tm.ampr.org/nettools.php 
http://kb3vwg-010.ampr.org/tools 
http://speedtest.ampr.org 
http://n1uro.ampr.org/do.shtml 
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE
|-
| Various Operators ||Network Time Protocol Server || gw.ampr.org (Stratum 1, US) ntp.vk2hff.ampr.org (Stratum 1, AU) ntp.g1fef.ampr.org (Stratum 1, UK) kb3vwg-001.ampr.org (Stratum 2, US) gw-44-137.pi9noz.ampr.org (Stratum 2) server.yo2loj.ampr.org (Stratum 2) f4gve.ampr.org (Stratum 3) ntp1.on3rvh.ampr.org || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican|| AMPRNet hosts have OPEN ACCESS to these time servers
|-
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/wiki/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.
|-
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.
|-
| [http://allstarlink.org AllStar Link] || AllStar || http://allstarlink.org || Linking of repeaters || AllStar Link core network services are provided via redundant datacenters using 44net IP space. || [https://wiki.allstarlink.org/wiki/Main_Page ASL wiki]
|-
| N2NOV and G1FEF || Hub_NA and Hub_EU for WWconvers Chat System || 44.68.41.2:3600 44.1.1.25:3600 || Telnet || Only connections from other 44Net addresses allowed using port 3600. Stations like JNOS with a built-in local chat server can link to it. Individuals without a local chat portal can use an IRC client to a public IP address that must be arranged with the owner. || None
|-
| N2NOV || AMPRNet NE US Regional Portal || http://n2nov.ampr.org/hamgate.html || HTTP || AMPRNet NE US Regional Portal || None
|-
| [https://flscg.org/ FSG]|| HamWAN Remote || https://flscg.org/2022/04/hamwan-remote/ || VPN/BGP || We provide a VPN based remote site connection to [https://flscg.org/hamwan/ HamWAN Tampa] and can announce your IP space. Performance of over 1gbit/s is possible and we provide an local connection point for amateurs in the South East || https://wiki.w9cr.net/index.php/HamWAN_Remote_Site
|-
| [https://hamwan.org HamWAN]||[https://hamwan.org/Labs/Open%20Peering%20Policy.html OPP Website]||Open Peering ||BGP feed||We provide IPsec VPN w/ BGP peering + Internet announcing.||
|-}

Services

2022-03-15T23:54:19Z

Kb3vwg: added by request of N2NOV - added NE US AMPRNet Regional Portal

{| class="wikitable sortable"
|-
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information
|-
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE
|-
| AMPR ||Website || http://www.ampr.org || HTTP || AMPRNet Main Page|| NONE
|-
| AMPR ||Wiki || http://wiki.ampr.org || HTTP || This Wiki|| NONE
|-
| AMPR ||[[44Net mailing list]] || https://mailman.ampr.org/mailman/listinfo/44net || HTTP || mailing list discussion|| NONE
|-
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.34.84 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).
|-
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway
|-
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]
|-
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||
(These hosts maintain a copy of AMPR.ORG and the 44.IN-ADDR.ARPA DNS Zones:)
 ampr.org 
ns2.threshinc.com 
munnari.OZ.AU 
a.coreservers.uk 
ampr-dns.in-berlin.de 
(These hosts maintain a copy of AMPR.ORG and the 44.in-addr.arpa DNS Zones. 44/8 hosts may use as recursive/Client DNS servers:) 
gw.ct.ampr.org (44.88.0.1) 
dns-mdc.ampr.org (44.60.44.3) 
n1uro.ampr.org (44.88.0.9)
|| DNS || name resolution services|| zone files can be downloaded from ftp://gw.ampr.org/pub/
|-
| Various Operators||Network Tools||
http://whatismyip.ampr.org 
http://yo2tm.ampr.org/nettools.php 
http://kb3vwg-010.ampr.org/tools 
http://speedtest.ampr.org 
http://n1uro.ampr.org/do.shtml 
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE
|-
| Various Operators ||Network Time Protocol Server || gw.ampr.org (Stratum 1, US) ntp.vk2hff.ampr.org (Stratum 1, AU) ntp.g1fef.ampr.org (Stratum 1, UK) kb3vwg-001.ampr.org (Stratum 2, US) gw-44-137.pi9noz.ampr.org (Stratum 2) server.yo2loj.ampr.org (Stratum 2) f4gve.ampr.org (Stratum 3) ntp1.on3rvh.ampr.org || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican|| AMPRNet hosts have OPEN ACCESS to these time servers
|-
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/wiki/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.
|-
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.
|-
| [http://allstarlink.org AllStar Link] || AllStar || http://allstarlink.org || Linking of repeaters || AllStar Link core network services are provided via redundant datacenters using 44net IP space. || [https://wiki.allstarlink.org/wiki/Main_Page ASL wiki]
|-
| N2NOV and G1FEEF || Hub_NA and Hub_EU for WWconvers Chat System || 44.68.41.2:3600 44.1.1.25:3600 || Telnet || Only connections from other 44Net addresses allowed using port 3600. Stations like JNOS with a built-in local chat server can link to it. Individuals without a local chat portal can use an IRC client to a public IP address that must be arranged with the owner. || None
|-
| N2NOV || AMPRNet NE US Regional Portal || http://n2nov.ampr.org/hamgate.html || HTTP || AMPRNet NE US Regional Portal || None
|-}

Services

2022-02-05T18:40:00Z

Kb3vwg: added Hub_NA and Hub_EU for WWconvers Chat System

{| class="wikitable sortable"
|-
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information
|-
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE
|-
| AMPR ||Website || http://www.ampr.org || HTTP || AMPRNet Main Page|| NONE
|-
| AMPR ||Wiki || http://wiki.ampr.org || HTTP || This Wiki|| NONE
|-
| AMPR ||[[44Net mailing list]] || https://mailman.ampr.org/mailman/listinfo/44net || HTTP || mailing list discussion|| NONE
|-
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.34.84 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).
|-
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway
|-
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]
|-
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||
(These hosts maintain a copy of AMPR.ORG and the 44.IN-ADDR.ARPA DNS Zones:)
 ampr.org 
ns2.threshinc.com 
munnari.OZ.AU 
a.coreservers.uk 
ampr-dns.in-berlin.de 
(These hosts maintain a copy of AMPR.ORG and the 44.in-addr.arpa DNS Zones. 44/8 hosts may use as recursive/Client DNS servers:) 
gw.ct.ampr.org (44.88.0.1) 
dns-mdc.ampr.org (44.60.44.3) 
n1uro.ampr.org (44.88.0.9)
|| DNS || name resolution services|| zone files can be downloaded from ftp://gw.ampr.org/pub/
|-
| Various Operators||Network Tools||
http://whatismyip.ampr.org 
http://yo2tm.ampr.org/nettools.php 
http://kb3vwg-010.ampr.org/tools 
http://speedtest.ampr.org 
http://n1uro.ampr.org/do.shtml 
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE
|-
| Various Operators ||Network Time Protocol Server || gw.ampr.org (Stratum 1, US) ntp.vk2hff.ampr.org (Stratum 1, AU) ntp.g1fef.ampr.org (Stratum 1, UK) kb3vwg-001.ampr.org (Stratum 2, US) gw-44-137.pi9noz.ampr.org (Stratum 2) server.yo2loj.ampr.org (Stratum 2) f4gve.ampr.org (Stratum 3) ntp1.on3rvh.ampr.org || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican|| AMPRNet hosts have OPEN ACCESS to these time servers
|-
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/wiki/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.
|-
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.
|-
| [http://allstarlink.org AllStar Link] || AllStar || http://allstarlink.org || Linking of repeaters || AllStar Link core network services are provided via redundant datacenters using 44net IP space. || [https://wiki.allstarlink.org/wiki/Main_Page ASL wiki]
|-
| N2NOV and G1FEEF || Hub_NA and Hub_EU for WWconvers Chat System || 44.68.41.2:3600 44.1.1.25:3600 || Telnet || Only connections from other 44Net addresses allowed using port 3600. Stations like JNOS with a built-in local chat server can link to it. Individuals without a local chat portal can use an IRC client to a public IP address that must be arranged with the owner. || None
|-}

44Net mailing list

2020-11-24T22:12:01Z

Kb3vwg: updated 44 mailing list URL

The [https://mailman.ampr.org/mailman/listinfo/44net working group discussion list] is a mailing list where amprnet users and gateway operators discuss all things [[AMPRNet]]. Subscribe and browse the archives to learn more!

* [https://mailman.ampr.org/mailman/listinfo/44net https://mailman.ampr.org/mailman/listinfo/44net]

Services

2020-11-24T22:11:15Z

Kb3vwg: updated 44 mailing list URL

{| class="wikitable sortable"
|-
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information
|-
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE
|-
| AMPR ||Website || http://www.ampr.org || HTTP || AMPRNet Main Page|| NONE
|-
| AMPR ||Wiki || http://wiki.ampr.org || HTTP || This Wiki|| NONE
|-
| AMPR ||[[44Net mailing list]] || https://mailman.ampr.org/mailman/listinfo/44net || HTTP || mailing list discussion|| NONE
|-
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.34.84 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).
|-
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway
|-
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]
|-
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||
(These hosts maintain a copy of AMPR.ORG and the 44.IN-ADDR.ARPA DNS Zones:)
 ampr.org 
ns2.threshinc.com 
munnari.OZ.AU 
a.coreservers.uk 
ampr-dns.in-berlin.de 
(These hosts maintain a copy of AMPR.ORG and the 44.in-addr.arpa DNS Zones. 44/8 hosts may use as recursive/Client DNS servers:) 
gw.ct.ampr.org (44.88.0.1) 
dns-mdc.ampr.org (44.60.44.3) 
n1uro.ampr.org (44.88.0.9)
|| DNS || name resolution services|| zone files can be downloaded from ftp://gw.ampr.org/pub/
|-
| Various Operators||Network Tools||
http://whatismyip.ampr.org 
http://yo2tm.ampr.org/nettools.php 
http://kb3vwg-010.ampr.org/tools 
http://speedtest.ampr.org 
http://n1uro.ampr.org/do.shtml 
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE
|-
| Various Operators ||Network Time Protocol Server || gw.ampr.org (Stratum 1, US) ntp.vk2hff.ampr.org (Stratum 1, AU) ntp.g1fef.ampr.org (Stratum 1, UK) kb3vwg-001.ampr.org (Stratum 2, US) gw-44-137.pi9noz.ampr.org (Stratum 2) server.yo2loj.ampr.org (Stratum 2) f4gve.ampr.org (Stratum 3) ntp1.on3rvh.ampr.org || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican|| AMPRNet hosts have OPEN ACCESS to these time servers
|-
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/wiki/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.
|-
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.
|-
| OH1KK || KiwiSDR Kaustinen || http://44.139.48.2 || SDR-receiver || KiwiSDR receiver located at Kaustinen, Finland · 0-30 MHz · Antenna switch extension · Northern Europe || Experimental. Also available on non-amprnet at address http://sdr.vy.fi
|-
| [http://allstarlink.org AllStar Link] || AllStar || http://allstarlink.org || Linking of repeaters || AllStar Link core network services are provided via redundant datacenters using 44net IP space. || [https://wiki.allstarlink.org/wiki/Main_Page ASL wiki]
|-}

Setting up a gateway on OpenWRT

2020-11-07T06:51:01Z

Kb3vwg: /* Setup and configuration of OpenWrt */ added update for https://openwrt.org/packages/pkgdata/libstdcpp6

This Wiki provides operators a straightforward method of configuring your OpenWrt device for use with the [[ARDC]] network.

== Running the [[RIP| RIP44 protocol]] ==
'''NOTE:'''

* To operate a [[Gateway]] on [[AMPRNet]], you must run software to obtain up-to-date route information - a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol named [[RIP| RIP44]] is used
* The implementation of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] and RIP44 '''[[RIP#What's the difference?|are not the same]]'''

''Therefore:''

* '''You must have access to a binary [https://en.wikipedia.org/wiki/Executable executable] of [[ampr-ripd]] that is compatible with the [https://en.wikipedia.org/wiki/Central_processing_unit CPU] in your OpenWrt device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must [https://en.wikipedia.org/wiki/Compiler compile] ampr-ripd yourself, or install the packages necessary to run [[rip44d]].'''
* '''[[ampr-ripd]]''' (written in C by YO2LOJ) is used in this Wiki example, as fewer prerequisite software are required (e.g. C++ library), compared to [[rip44d]]
* ''There is also an experimental [[RIP44.lua]] daemon which should run with standard packages''
* ''For information about compiling for OpenWrt devices, see:''
** [https://openwrt.org/docs/guide-developer/crosscompile Cross Compile - OpenWrt]
** [https://openwrt.org/docs/start OpenWrt Manual]

== Before we begin - assumptions ==

'''NOTE - ''' ''these instructions assume:''

* That you have been assigned AMPRNet IP address allocations that are properly claimed; and your [[Gateway]] IP or hostname configured on your account in the [[Portal]]
* ''While not a requirement, that the allocation is /30 (preferablly /29) or larger - that you have enough usable IPs for: tunl0, AMPRLAN and for downstream client usage''
** NAT is not used on the AMPRLAN side of this example
* '''That you have properly enabled DNS PTR records with your AMPRNet regional coordinator - this enables global IP addresses usage'''
* That you intend to configure your OpenWrt-based (version 14.07 or greater) AMPRNet [[Gateway]] to be a [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewall] for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN
* These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] scenario; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire)
* Since the OpenWrt Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets)
* Lastly, that the user:
** can navigate the default OpenWrt LuCI web-based graphical user interface locally; and that they are using a device capable of having the packages installed
** is familiar with the [https://en.wikipedia.org/wiki/Chmod chmod] command, and/or
** familiar with entering OpenWrt UCI (Unified Configuration Interface) commands by serial console or SSH.'''

== Setup and configuration of OpenWrt ==

'''Install:'''

* [https://openwrt.org/packages/pkgdata/kmod-ipip kmod-ipip]
* [https://openwrt.org/packages/pkgdata/ip-full ip-full]
* [https://openwrt.org/packages/pkgdata/libstdcpp libstdcpp] (depending on version, it may now be named [https://openwrt.org/packages/pkgdata/libstdcpp6 libstdcpp6])

'''Paste:'''

* '''[[ampr-ripd]]''' to '''/etc/config/''' (always run [[RIP| RIP44]] software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
* ''optional'' - dynamic firewall script to /etc/config/load_ipipfilter.sh (see the [[Firewalls#ipset|ipset]] section of the firewall wiki)
* the following to /etc/rc.local or on web GUI at'''System > Startup > Local Startup:'''

ip tunnel add tunl0
ip tunnel change tunl0 mode ipip ttl 64 tos inherit pmtudisc
# Optional to assign a single /32 IP to tunl0
# needed if you use -L ampr-ripd argument
# or to test AMPRWAN side of connection
'''# ip addr add 44.xxx.xxx.xxx/32 dev tunl0'''
ip link set tunl0 mtu 1480 up
'''# This directory is not persistent on OpenWrt, it must be made on boot for dynamic filtering
mkdir /var/lib/ampr-ripd
# A blank bootstrap file must be created at /etc/config/encap.txt for this to work
# Running '''touch /etc/config/encap.txt''' once can create it
# after which, you may run ampr-ripd to populate it
ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# Dynamic filter, script executed by -x argument
# Dynamic filter, -s argument creates encap.txt
'''# ./etc/config/ampr-ripd -p <PASSWORD> -s -t 44 -a <44.xxx.xxx.xxx/xx> -x ./etc/config/load_ipipfilter.sh &'''
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr

''AMPRNet Policy Routes''

# add IP Route to /etc/config/network

config route
option interface 'amprwan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway ''''<AMPRGW>''''
option onlink '1'
option table '44'

''AMPRNet Policy Rules''

# add IP Rules to /etc/config/network

#OPTIONAL AMPR TO LAN RULES (NUMBER 22-2X ACCORDINGLY)
config rule
option src '44.xxx.xxx.0/24'
option dest '192.168.xxx.0/24'
option priority '22'
option lookup 'main'

#ADD A MAIN RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY)
config rule
option dest '44.xxx.xxx.0/24'
option priority '44'
option lookup 'main'

### This ensures all traffic received on tunl0 uses table 44
config rule
option in 'amprwan'
option dest '0.0.0.0/0'
option priority '45'
option lookup '44'

###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44
config rule
option in 'amprnet'
option dest '0.0.0.0/0'
option priority '46'
option lookup '44'

### You must add an IP rule for all 44net IPs residing on the device
config rule
option src '44.xxx.xxx.0/24
option priority '47'
option lookup '44'

* '''reboot'''

== Enumerating tunnel/VLAN (AMPRWAN/AMPRLAN) Interfaces and firewall zones ==

''REMINDER: In OpenWrt 14.07 or lower - be sure to enable connection tracking if you will not masquerade.''

'''Interfaces'''

* Create an unmanaged Interface instance for tunl0 ('''AMPRWAN''') - '''set to not bring up on boot''', adding it to a new own firewall zone '''amprwan''' using
**Input: Drop (or Reject)
**Output: Drop (or Reject)
**Forward: Drop (or Reject)
* Create an interface instance for a new VLAN and bridge (AMPRNET). '''Assign an IP from your allocation to this interface - this will become the the Default Route/Gateway IP used on other 44 clients in your VLAN''' - add it to its own new firewall zone using
** Input: Accept (if you wish for you AMPRLAN devices to reach the router)
** Output: Accept; and
** Forward: Drop (or Reject, depending if you have other downstream routers in this VLAN)
* '''reboot'''

'''General Firewalling'''

* Permit forwarding from AMPRLAN to AMPRWAN and WAN (you must masquerade this traffic when using WAN)
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
* ''For IPENCAP in'' - create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router ''(or configure optional dynamic script above, see [[Firewalls#OpenWrt|Firewalls - OpenWrt]])''
** specify WAN IP instead of ''Any'' - if statically assigned by ISP
* ''For [[RIP| RIP44]] packets in'' - create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
* Create Traffic Forward rules for any inbound services (as desired)
* assign the new VLAN to any switch/trunk ports (as desired)
* make ampr-ripd and load_ipipfilter.sh executable using '''chmod +x'''

'''Lastly'''

* test ampr-ripd in console using the '''-d''' argument
* add password to the '''Local Startup''' entry and uncomment ampr-ripd line
* '''reboot'''

== See Also ==

* [[ampr-ripd]]
* [[Firewalls#OpenWrt|Firewalls - OpenWrt]]
* [[RIP44.lua]]
* https://openwrt.org/docs/guide-user/network/start

Requesting a block

2020-03-25T13:29:44Z

Kb3vwg: add dialogue about licensed amateurs only

'''Drafted for ARDC/44-net'''

You '''must''' request an amprnet block direct from the Portal.
First you must create your account at the [https://portal.ampr.org/ Portal].
Once you do, you must login. 

* '''You also must login every 3-6 months even if it's just to check in to keep your block active, you've been warned!'''
* '''AMPRNet is a closed network that is only accessible to licensed radio amateurs.'''

Once logged in, from the '''top''' home tab, you next select the [https://portal.ampr.org/networks.php Networks]tab on the
row below. You will see a listing of blocks pre-allocated to the
people who coordinate for those blocks. Find the country you are
from and click on the block to the left that's associated with
the place you live in. If you're in the United States, than
you would first select 44.0.0.0/9, and then search for the state
you live in and click on that block assignment to the left.

Once you find the block associated with your QTH, you then click
on that block. When it opens you'll see a listing of pre-allocated
IP space for that block assigned by that area's coordinator. You
will also notice the following:
"If the address range you want is not within any of the subnets above, or the region you are located in is not listed above, you may request an allocation from the parent network by clicking here: x.x.x.x/16"
This will open up a new screen. This will bring you to the "Request Allocation" page.

Your origin's subnet will automatically be selected as a /16 subnet however
you need to enter in the actual subnet below it in which would suit your
needs. Don't be '''greedy''' request what you actually need for service
nodes. This would not include any 802.11 routers for use on ''HamWan/HamNet'' as
doing so would make you quite insecure. ISPs don't configure their routers
with publicly routable IP space for end users, why would you? To start with, I suggest
a /29 or if you feel you have a handful of devices such as a dozen Raspberry Pi
units you wish to host [http://wiki.ampr.org/wiki/URONode Nodes] with a /28
may better suit your needs.

Basic space allocation per block request and usable hosts within such as a quick
guideline would be:
*/32 - 1 usable host
*/30 - 2 usable hosts
*/29 - 6 usable hosts
*/28 - 14 usable hosts
*/27 - 30 usable hosts

Plan out your topology accordinly before you request your subnet. Many devices may share IPs for
the services you might plan to host on them. An example for a full service [http://wiki.ampr.org/wiki/URONode Node]
you may have 44.1.2.3.4 and that may bind to such things as:
*SMTP/[http://wiki.ampr.org/wiki/URONode axMail]
*[http://wiki.ampr.org/wiki/URONode Node]
*APRS
*BBS
*IMAP
*POP3
*HTTP/HTTPS
*and more!
All the above services may use a single IP on 1 host as these each may use 1 IP port each on the same IP address. As an example
if you had 4 Raspberry Pi units, and 4 PCs you were going to deploy out, that'd be 8 individual devices
in which you'd want a /28 subnet for because a /29 would leave you short 2 IPs for the host devices.

In the description field, I suggest you enter your callsign. It makes your subnet easier to locate in the portal.

Type will always be: '''End User'''

Underneath that will be 3 tick boxes:
*Radio
*Tunnel
*[http://wiki.ampr.org/wiki/Announcing_your_allocation_directly Direct]
Unless you're jumping right into the fire and intend on BGP announcing your subnet,
you can ignore the last one otherwise click on the link above to see how to do BGP with the AmprNet.
If you'll be routing IP via RF you'll obviously want to tick on ''Radio''. If you'll have IP
connectivity via your ISP you'll want to also tick on ''Tunnel''. Note: Not all ISPs allow for the
passing of our tunnel protocol however most do. If you find you can not tunnel, check with your router's
manufacturer to insure they allow for passing of IP protocol 4. You may also want to place your main amprnet
device's lan IP into your local router's DMZ so that anything coming into your IP will default
route into the device you'll designate as your amprnet routing device. (Note: Raspberry Pi
units are a great device for this and you can turn them into a Wifi hotspot to route 44/8
via 802.11a/b/g/n)

Lastly you'll want to send a note to your coordinator. You'll find this to be a good way to
open communications with your coordinator as well as helping them sort out your needs for a
subnet.

Your next step is [http://wiki.ampr.org/wiki/Registering_Your_Gateway Here] to register your AmprNet Gateway.

Firewalls

2019-04-25T16:17:08Z

Kb3vwg: /* OpenWrt */ added information about MSS Clamping

Welcome to the Firewall Wiki.

This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at '''Administration > Commands > "Save Firewall"''' on the web GUI.

See:

* https://www.dd-wrt.com/wiki/index.php/Iptables
* https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding on the web GUI:

* Create a new Port Forward
* Enter the LAN IP of your AMPR node
* Select "Other"
* Type the number '''4''' into the field

== iptables ==

'''NOTE:'''

* On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall).
* Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.'''
* ''If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.''
* '''For most embedded devices, it is suggested to use [[Firewalls#ipset|ipset]] rules instead'''

'''General Bogon rules''' - see: https://en.wikipedia.org/wiki/Bogon_filtering

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
# Block of Test AMPRNet Subnet
# iptables -t raw -I PREROUTING -s 44.128.0.0/16 -i tunl0 -j DROP
# (you can optionally block your subnet)
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''NOTE:''

* ''This script needs work, see Thu Jan 10 11:09:27 PST 2019 message in the [[44Net mailing list]] archive. Due to extreme overheard running on many devices, the ipset script is suggested instead.''
* This rule (or one of the ipset or static rules below) is required for other AMPR nodes to initiate inbound traffic to your node.

''REQUIRED:''
[[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

''Note:''
* This rule (the dynamic rule above, or the ipset rules) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

''To enable receipt of [[RIP]]44''

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

''Masquerade LAN Subnets to AMPRNet''

* In this instance, eth1 is your 192.168.1.0/24 LAN - (thanks to Brian, N1URO)
''See: https://n1uro.ampr.org/linuxconf/44nat.html''

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''General Bogon rules using ipset''' - see: https://en.wikipedia.org/wiki/Bogon_filtering

#######################BOGON FILTER ########################
ipset create bogons hash:net
# BOGON LIST
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
ipset -A bogons 0.0.0.0/8
ipset -A bogons 10.0.0.0/8
ipset -A bogons 100.64.0.0/10
ipset -A bogons 127.0.0.0/8
ipset -A bogons 169.254.0.0/16
ipset -A bogons 172.16.0.0/12
ipset -A bogons 192.0.0.0/24
ipset -A bogons 192.0.2.0/24
ipset -A bogons 192.168.0.0/16
ipset -A bogons 198.18.0.0/15
ipset -A bogons 198.51.100.0/24
ipset -A bogons 203.0.113.0/24
ipset -A bogons 224.0.0.0/4
ipset -A bogons 240.0.0.0/4
# Block of your own AMPRNet Subnet
# ipset -A bogons 44.xxx.xxx.xxx/xx
# Block of Test AMPRNet Subnet
# ipset -A bogons 44.128.0.0/16

(you can optionally block your subnet)

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''REQUIRED:'' [[ampr-ripd]] (using the -x and -d arguments) and the ipset package.'''

#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /var/lib/ampr-ripd || exit 1

ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter <AMPRGW>

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done

== Microtik ==

== OpenWrt ==

''See: [[Firewalls#iptables|iptables]] and [[Firewalls#ipset|ipset]] (above), and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].''

* the Bogon ipset script is added to '''System > Startup''' on the web GUI - or into the Unified Configuration Interface (UCI) file ''/etc/rc.local''
* [[Firewalls#iptables|iptables]]-based scripts are entered at '''Network > Firewall > Custom Firewall''' on the LuCI web GUI interface - or into the Unified Configuration Interface (UCI) file ''/etc/firewall.user''
* [[Firewalls#ipset|ipset]]-based rules are entered on the command line - into the Unified Configuration Interface (UCI) file ''/etc/config/firewall'' ''(OpenWrt syntax must be used in this file!)''
* '''MSS Clamping is enabled in the Firewall Section, you should enable this on both the AMPRLAN and AMPRWAN interfaces'''

''Adding Bogon drop rule to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option name 'Drop-Bogons_In_AMPRWAN'
option family 'ipv4'
option proto 'all'
option src 'amprwan'
option target 'DROP'
option extra '-m set --match-set bogons src'

''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

Ampr-ripd

2019-01-25T00:11:41Z

Kb3vwg: spelling correction

ampr-ripd is a GNU/Linux C daemon writen by Y02LOJ that listens for AMPRNet [[gateway]] announcements and can update routing tables based on the information it receives.

ampr-ripd source code and instructions can be found [http://www.yo2loj.ro/hamprojects/ here].

* [[ampr-ripd]] has been compiled for the AppliedMicro APM82181 and Atheros 71xx router CPUs
* Considering embedded devices such as [[Setting up a gateway on OpenWRT|OpenWrt]], the routing table is relatively small - so the performance or memory consumption of this daemon isn't very critical
* new [[Gateway]] operators should compile the source code if they do not have access to an executable copy of this software

Setting up a gateway on OpenWRT

2019-01-22T13:38:00Z

Kb3vwg: /* Before we begin - assumptions */ added information about subnet size

This Wiki provides operators a straightforward method of configuring your OpenWrt device for use with the [[ARDC]] network.

== Running the [[RIP| RIP44 protocol]] ==
'''NOTE:'''

* To operate a [[Gateway]] on [[AMPRNet]], you must run software to obtain up-to-date route information - a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol named [[RIP| RIP44]] is used
* The implementation of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] and RIP44 '''[[RIP#What's the difference?|are not the same]]'''

''Therefore:''

* '''You must have access to a binary [https://en.wikipedia.org/wiki/Executable executable] of [[ampr-ripd]] that is compatible with the [https://en.wikipedia.org/wiki/Central_processing_unit CPU] in your OpenWrt device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must [https://en.wikipedia.org/wiki/Compiler compile] ampr-ripd yourself, or install the packages necessary to run [[rip44d]].'''
* '''[[ampr-ripd]]''' (written in C by YO2LOJ) is used in this Wiki example, as fewer prerequisite software are required (e.g. C++ library), compared to [[rip44d]]
* ''There is also an experimental [[RIP44.lua]] daemon which should run with standard packages''
* ''For information about compiling for OpenWrt devices, see:''
** [https://openwrt.org/docs/guide-developer/crosscompile Cross Compile - OpenWrt]
** [https://openwrt.org/docs/start OpenWrt Manual]

== Before we begin - assumptions ==

'''NOTE - ''' ''these instructions assume:''

* That you have been assigned AMPRNet IP address allocations that are properly claimed; and your [[Gateway]] IP or hostname configured on your account in the [[Portal]]
* ''While not a requirement, that the allocation is /30 (preferablly /29) or larger - that you have enough usable IPs for: tunl0, AMPRLAN and for downstream client usage''
** NAT is not used on the AMPRLAN side of this example
* '''That you have properly enabled DNS PTR records with your AMPRNet regional coordinator - this enables global IP addresses usage'''
* That you intend to configure your OpenWrt-based (version 14.07 or greater) AMPRNet [[Gateway]] to be a [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewall] for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN
* These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] scenario; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire)
* Since the OpenWrt Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets)
* Lastly, that the user:
** can navigate the default OpenWrt LuCI web-based graphical user interface locally; and that they are using a device capable of having the packages installed
** is familiar with the [https://en.wikipedia.org/wiki/Chmod chmod] command, and/or
** familiar with entering OpenWrt UCI (Unified Configuration Interface) commands by serial console or SSH.'''

== Setup and configuration of OpenWrt ==

'''Install:'''

* [https://openwrt.org/packages/pkgdata/kmod-ipip kmod-ipip]
* [https://openwrt.org/packages/pkgdata/ip-full ip-full]
* [https://openwrt.org/packages/pkgdata/libstdcpp libstdcpp]

'''Paste:'''

* '''[[ampr-ripd]]''' to '''/etc/config/''' (always run [[RIP| RIP44]] software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
* ''optional'' - dynamic firewall script to /etc/config/load_ipipfilter.sh (see the [[Firewalls#ipset|ipset]] section of the firewall wiki)
* the following to /etc/rc.local or on web GUI at'''System > Startup > Local Startup:'''

ip tunnel add tunl0
ip tunnel change tunl0 mode ipip ttl 64 tos inherit pmtudisc
# Optional to assign a single /32 IP to tunl0
# needed if you use -L ampr-ripd argument
# or to test AMPRWAN side of connection
'''# ip addr add 44.xxx.xxx.xxx/32 dev tunl0'''
ip link set tunl0 mtu 1480 up
'''# This directory is not persistent on OpenWrt, it must be made on boot for dynamic filtering
mkdir /var/lib/ampr-ripd
# A blank bootstrap file must be created at /etc/config/encap.txt for this to work
# Running '''touch /etc/config/encap.txt''' once can create it
# after which, you may run ampr-ripd to populate it
ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# Dynamic filter, script executed by -x argument
# Dynamic filter, -s argument creates encap.txt
'''# ./etc/config/ampr-ripd -p <PASSWORD> -s -t 44 -a <44.xxx.xxx.xxx/xx> -x ./etc/config/load_ipipfilter.sh &'''
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr

''AMPRNet Policy Routes''

# add IP Route to /etc/config/network

config route
option interface 'amprwan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway ''''<AMPRGW>''''
option onlink '1'
option table '44'

''AMPRNet Policy Rules''

# add IP Rules to /etc/config/network

#OPTIONAL AMPR TO LAN RULES (NUMBER 22-2X ACCORDINGLY)
config rule
option src '44.xxx.xxx.0/24'
option dest '192.168.xxx.0/24'
option priority '22'
option lookup 'main'

#ADD A MAIN RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY)
config rule
option dest '44.xxx.xxx.0/24'
option priority '44'
option lookup 'main'

### This ensures all traffic received on tunl0 uses table 44
config rule
option in 'amprwan'
option dest '0.0.0.0/0'
option priority '45'
option lookup '44'

###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44
config rule
option in 'amprnet'
option dest '0.0.0.0/0'
option priority '46'
option lookup '44'

### You must add an IP rule for all 44net IPs residing on the device
config rule
option src '44.xxx.xxx.0/24
option priority '47'
option lookup '44'

* '''reboot'''

== Enumerating tunnel/VLAN (AMPRWAN/AMPRLAN) Interfaces and firewall zones ==

''REMINDER: In OpenWrt 14.07 or lower - be sure to enable connection tracking if you will not masquerade.''

'''Interfaces'''

* Create an unmanaged Interface instance for tunl0 ('''AMPRWAN''') - '''set to not bring up on boot''', adding it to a new own firewall zone '''amprwan''' using
**Input: Drop (or Reject)
**Output: Drop (or Reject)
**Forward: Drop (or Reject)
* Create an interface instance for a new VLAN and bridge (AMPRNET). '''Assign an IP from your allocation to this interface - this will become the the Default Route/Gateway IP used on other 44 clients in your VLAN''' - add it to its own new firewall zone using
** Input: Accept (if you wish for you AMPRLAN devices to reach the router)
** Output: Accept; and
** Forward: Drop (or Reject, depending if you have other downstream routers in this VLAN)
* '''reboot'''

'''General Firewalling'''

* Permit forwarding from AMPRLAN to AMPRWAN and WAN (you must masquerade this traffic when using WAN)
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
* ''For IPENCAP in'' - create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router ''(or configure optional dynamic script above, see [[Firewalls#OpenWrt|Firewalls - OpenWrt]])''
** specify WAN IP instead of ''Any'' - if statically assigned by ISP
* ''For [[RIP| RIP44]] packets in'' - create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
* Create Traffic Forward rules for any inbound services (as desired)
* assign the new VLAN to any switch/trunk ports (as desired)
* make ampr-ripd and load_ipipfilter.sh executable using '''chmod +x'''

'''Lastly'''

* test ampr-ripd in console using the '''-d''' argument
* add password to the '''Local Startup''' entry and uncomment ampr-ripd line
* '''reboot'''

== See Also ==

* [[ampr-ripd]]
* [[Firewalls#OpenWrt|Firewalls - OpenWrt]]
* [[RIP44.lua]]
* https://openwrt.org/docs/guide-user/network/start

Setting up a gateway on OpenWRT

2019-01-22T13:27:49Z

Kb3vwg: /* Setup and configuration of OpenWrt */ add tunl0 IP information

This Wiki provides operators a straightforward method of configuring your OpenWrt device for use with the [[ARDC]] network.

== Running the [[RIP| RIP44 protocol]] ==
'''NOTE:'''

* To operate a [[Gateway]] on [[AMPRNet]], you must run software to obtain up-to-date route information - a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol named [[RIP| RIP44]] is used
* The implementation of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] and RIP44 '''[[RIP#What's the difference?|are not the same]]'''

''Therefore:''

* '''You must have access to a binary [https://en.wikipedia.org/wiki/Executable executable] of [[ampr-ripd]] that is compatible with the [https://en.wikipedia.org/wiki/Central_processing_unit CPU] in your OpenWrt device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must [https://en.wikipedia.org/wiki/Compiler compile] ampr-ripd yourself, or install the packages necessary to run [[rip44d]].'''
* '''[[ampr-ripd]]''' (written in C by YO2LOJ) is used in this Wiki example, as fewer prerequisite software are required (e.g. C++ library), compared to [[rip44d]]
* ''There is also an experimental [[RIP44.lua]] daemon which should run with standard packages''
* ''For information about compiling for OpenWrt devices, see:''
** [https://openwrt.org/docs/guide-developer/crosscompile Cross Compile - OpenWrt]
** [https://openwrt.org/docs/start OpenWrt Manual]

== Before we begin - assumptions ==

'''NOTE - ''' ''these instructions assume:''

* That you have been assigned AMPRNet IP address allocations that are properly claimed; and your [[Gateway]] IP or hostname configured on your account in the [[Portal]]
* '''That you have properly enabled DNS PTR records with your AMPRNet regional coordinator - this enables global IP addresses usage'''
* That you intend to configure your OpenWrt-based (version 14.07 or greater) AMPRNet [[Gateway]] to be a [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewall] for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN
* These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] scenario; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire)
* Since the OpenWrt Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets)
* Lastly, that the user:
** can navigate the default OpenWrt LuCI web-based graphical user interface locally; and that they are using a device capable of having the packages installed
** is familiar with the [https://en.wikipedia.org/wiki/Chmod chmod] command, and/or
** familiar with entering OpenWrt UCI (Unified Configuration Interface) commands by serial console or SSH.'''

== Setup and configuration of OpenWrt ==

'''Install:'''

* [https://openwrt.org/packages/pkgdata/kmod-ipip kmod-ipip]
* [https://openwrt.org/packages/pkgdata/ip-full ip-full]
* [https://openwrt.org/packages/pkgdata/libstdcpp libstdcpp]

'''Paste:'''

* '''[[ampr-ripd]]''' to '''/etc/config/''' (always run [[RIP| RIP44]] software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
* ''optional'' - dynamic firewall script to /etc/config/load_ipipfilter.sh (see the [[Firewalls#ipset|ipset]] section of the firewall wiki)
* the following to /etc/rc.local or on web GUI at'''System > Startup > Local Startup:'''

ip tunnel add tunl0
ip tunnel change tunl0 mode ipip ttl 64 tos inherit pmtudisc
# Optional to assign a single /32 IP to tunl0
# needed if you use -L ampr-ripd argument
# or to test AMPRWAN side of connection
'''# ip addr add 44.xxx.xxx.xxx/32 dev tunl0'''
ip link set tunl0 mtu 1480 up
'''# This directory is not persistent on OpenWrt, it must be made on boot for dynamic filtering
mkdir /var/lib/ampr-ripd
# A blank bootstrap file must be created at /etc/config/encap.txt for this to work
# Running '''touch /etc/config/encap.txt''' once can create it
# after which, you may run ampr-ripd to populate it
ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# Dynamic filter, script executed by -x argument
# Dynamic filter, -s argument creates encap.txt
'''# ./etc/config/ampr-ripd -p <PASSWORD> -s -t 44 -a <44.xxx.xxx.xxx/xx> -x ./etc/config/load_ipipfilter.sh &'''
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr

''AMPRNet Policy Routes''

# add IP Route to /etc/config/network

config route
option interface 'amprwan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway ''''<AMPRGW>''''
option onlink '1'
option table '44'

''AMPRNet Policy Rules''

# add IP Rules to /etc/config/network

#OPTIONAL AMPR TO LAN RULES (NUMBER 22-2X ACCORDINGLY)
config rule
option src '44.xxx.xxx.0/24'
option dest '192.168.xxx.0/24'
option priority '22'
option lookup 'main'

#ADD A MAIN RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY)
config rule
option dest '44.xxx.xxx.0/24'
option priority '44'
option lookup 'main'

### This ensures all traffic received on tunl0 uses table 44
config rule
option in 'amprwan'
option dest '0.0.0.0/0'
option priority '45'
option lookup '44'

###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44
config rule
option in 'amprnet'
option dest '0.0.0.0/0'
option priority '46'
option lookup '44'

### You must add an IP rule for all 44net IPs residing on the device
config rule
option src '44.xxx.xxx.0/24
option priority '47'
option lookup '44'

* '''reboot'''

== Enumerating tunnel/VLAN (AMPRWAN/AMPRLAN) Interfaces and firewall zones ==

''REMINDER: In OpenWrt 14.07 or lower - be sure to enable connection tracking if you will not masquerade.''

'''Interfaces'''

* Create an unmanaged Interface instance for tunl0 ('''AMPRWAN''') - '''set to not bring up on boot''', adding it to a new own firewall zone '''amprwan''' using
**Input: Drop (or Reject)
**Output: Drop (or Reject)
**Forward: Drop (or Reject)
* Create an interface instance for a new VLAN and bridge (AMPRNET). '''Assign an IP from your allocation to this interface - this will become the the Default Route/Gateway IP used on other 44 clients in your VLAN''' - add it to its own new firewall zone using
** Input: Accept (if you wish for you AMPRLAN devices to reach the router)
** Output: Accept; and
** Forward: Drop (or Reject, depending if you have other downstream routers in this VLAN)
* '''reboot'''

'''General Firewalling'''

* Permit forwarding from AMPRLAN to AMPRWAN and WAN (you must masquerade this traffic when using WAN)
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
* ''For IPENCAP in'' - create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router ''(or configure optional dynamic script above, see [[Firewalls#OpenWrt|Firewalls - OpenWrt]])''
** specify WAN IP instead of ''Any'' - if statically assigned by ISP
* ''For [[RIP| RIP44]] packets in'' - create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
* Create Traffic Forward rules for any inbound services (as desired)
* assign the new VLAN to any switch/trunk ports (as desired)
* make ampr-ripd and load_ipipfilter.sh executable using '''chmod +x'''

'''Lastly'''

* test ampr-ripd in console using the '''-d''' argument
* add password to the '''Local Startup''' entry and uncomment ampr-ripd line
* '''reboot'''

== See Also ==

* [[ampr-ripd]]
* [[Firewalls#OpenWrt|Firewalls - OpenWrt]]
* [[RIP44.lua]]
* https://openwrt.org/docs/guide-user/network/start

Firewalls

2019-01-21T20:54:24Z

Kb3vwg: accidentally added my own subnet to ipset bogons, edited ipset to properly reflect

Welcome to the Firewall Wiki.

This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at '''Administration > Commands > "Save Firewall"''' on the web GUI.

See:

* https://www.dd-wrt.com/wiki/index.php/Iptables
* https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding on the web GUI:

* Create a new Port Forward
* Enter the LAN IP of your AMPR node
* Select "Other"
* Type the number '''4''' into the field

== iptables ==

'''NOTE:'''

* On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall).
* Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.'''
* ''If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.''
* '''For most embedded devices, it is suggested to use [[Firewalls#ipset|ipset]] rules instead'''

'''General Bogon rules''' - see: https://en.wikipedia.org/wiki/Bogon_filtering

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
# Block of Test AMPRNet Subnet
# iptables -t raw -I PREROUTING -s 44.128.0.0/16 -i tunl0 -j DROP
# (you can optionally block your subnet)
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''NOTE:''

* ''This script needs work, see Thu Jan 10 11:09:27 PST 2019 message in the [[44Net mailing list]] archive. Due to extreme overheard running on many devices, the ipset script is suggested instead.''
* This rule (or one of the ipset or static rules below) is required for other AMPR nodes to initiate inbound traffic to your node.

''REQUIRED:''
[[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

''Note:''
* This rule (the dynamic rule above, or the ipset rules) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

''To enable receipt of [[RIP]]44''

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

''Masquerade LAN Subnets to AMPRNet''

* In this instance, eth1 is your 192.168.1.0/24 LAN - (thanks to Brian, N1URO)
''See: https://n1uro.ampr.org/linuxconf/44nat.html''

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''General Bogon rules using ipset''' - see: https://en.wikipedia.org/wiki/Bogon_filtering

#######################BOGON FILTER ########################
ipset create bogons hash:net
# BOGON LIST
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
ipset -A bogons 0.0.0.0/8
ipset -A bogons 10.0.0.0/8
ipset -A bogons 100.64.0.0/10
ipset -A bogons 127.0.0.0/8
ipset -A bogons 169.254.0.0/16
ipset -A bogons 172.16.0.0/12
ipset -A bogons 192.0.0.0/24
ipset -A bogons 192.0.2.0/24
ipset -A bogons 192.168.0.0/16
ipset -A bogons 198.18.0.0/15
ipset -A bogons 198.51.100.0/24
ipset -A bogons 203.0.113.0/24
ipset -A bogons 224.0.0.0/4
ipset -A bogons 240.0.0.0/4
# Block of your own AMPRNet Subnet
# ipset -A bogons 44.xxx.xxx.xxx/xx
# Block of Test AMPRNet Subnet
# ipset -A bogons 44.128.0.0/16

(you can optionally block your subnet)

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''REQUIRED:'' [[ampr-ripd]] (using the -x and -d arguments) and the ipset package.'''

#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /var/lib/ampr-ripd || exit 1

ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter <AMPRGW>

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done

== Microtik ==

== OpenWrt ==

''See: [[Firewalls#iptables|iptables]] and [[Firewalls#ipset|ipset]] (above), and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].''

* the Bogon ipset script is added to '''System > Startup''' on the web GUI - or into the Unified Configuration Interface (UCI) file ''/etc/rc.local''
* [[Firewalls#iptables|iptables]]-based scripts are entered at '''Network > Firewall > Custom Firewall''' on the LuCI web GUI interface - or into the Unified Configuration Interface (UCI) file ''/etc/firewall.user''
* [[Firewalls#ipset|ipset]]-based rules are entered on the command line - into the Unified Configuration Interface (UCI) file ''/etc/config/firewall'' ''(OpenWrt syntax must be used in this file!)''

''Adding Bogon drop rule to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option name 'Drop-Bogons_In_AMPRWAN'
option family 'ipv4'
option proto 'all'
option src 'amprwan'
option target 'DROP'
option extra '-m set --match-set bogons src'

''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

Firewalls

2019-01-12T16:09:19Z

Kb3vwg: added warning about using iptables on embeded devices - ipset prefered

Welcome to the Firewall Wiki.

This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at '''Administration > Commands > "Save Firewall"''' on the web GUI.

See:

* https://www.dd-wrt.com/wiki/index.php/Iptables
* https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding on the web GUI:

* Create a new Port Forward
* Enter the LAN IP of your AMPR node
* Select "Other"
* Type the number '''4''' into the field

== iptables ==

'''NOTE:'''

* On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall).
* Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.'''
* ''If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.''
* '''For most embedded devices, it is suggested to use [[Firewalls#ipset|ipset]] rules instead'''

'''General Bogon rules''' - see: https://en.wikipedia.org/wiki/Bogon_filtering

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
# Block of Test AMPRNet Subnet
# iptables -t raw -I PREROUTING -s 44.128.0.0/16 -i tunl0 -j DROP
# (you can optionally block your subnet)
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''NOTE:''

* ''This script needs work, see Thu Jan 10 11:09:27 PST 2019 message in the [[44Net mailing list]] archive. Due to extreme overheard running on many devices, the ipset script is suggested instead.''
* This rule (or one of the ipset or static rules below) is required for other AMPR nodes to initiate inbound traffic to your node.

''REQUIRED:''
[[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

''Note:''
* This rule (the dynamic rule above, or the ipset rules) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

''To enable receipt of [[RIP]]44''

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

''Masquerade LAN Subnets to AMPRNet''

* In this instance, eth1 is your 192.168.1.0/24 LAN - (thanks to Brian, N1URO)
''See: https://n1uro.ampr.org/linuxconf/44nat.html''

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''General Bogon rules using ipset''' - see: https://en.wikipedia.org/wiki/Bogon_filtering

#######################BOGON FILTER ########################
ipset create bogons hash:net
# BOGON LIST
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
ipset -A bogons 0.0.0.0/8
ipset -A bogons 10.0.0.0/8
ipset -A bogons 100.64.0.0/10
ipset -A bogons 127.0.0.0/8
ipset -A bogons 169.254.0.0/16
ipset -A bogons 172.16.0.0/12
ipset -A bogons 192.0.0.0/24
ipset -A bogons 192.0.2.0/24
ipset -A bogons 192.168.0.0/16
ipset -A bogons 198.18.0.0/15
ipset -A bogons 198.51.100.0/24
ipset -A bogons 203.0.113.0/24
ipset -A bogons 224.0.0.0/4
ipset -A bogons 240.0.0.0/4
ipset -A bogons 44.60.44.0/24
# Block of Test AMPRNet Subnet
# ipset -A bogons 44.128.0.0/16

(you can optionally block your subnet)

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''REQUIRED:'' [[ampr-ripd]] (using the -x and -d arguments) and the ipset package.'''

#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /var/lib/ampr-ripd || exit 1

ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter <AMPRGW>

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done

== Microtik ==

== OpenWrt ==

''See: [[Firewalls#iptables|iptables]] and [[Firewalls#ipset|ipset]] (above), and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].''

* the Bogon ipset script is added to '''System > Startup''' on the web GUI - or into the Unified Configuration Interface (UCI) file ''/etc/rc.local''
* [[Firewalls#iptables|iptables]]-based scripts are entered at '''Network > Firewall > Custom Firewall''' on the LuCI web GUI interface - or into the Unified Configuration Interface (UCI) file ''/etc/firewall.user''
* [[Firewalls#ipset|ipset]]-based rules are entered on the command line - into the Unified Configuration Interface (UCI) file ''/etc/config/firewall'' ''(OpenWrt syntax must be used in this file!)''

''Adding Bogon drop rule to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option name 'Drop-Bogons_In_AMPRWAN'
option family 'ipv4'
option proto 'all'
option src 'amprwan'
option target 'DROP'
option extra '-m set --match-set bogons src'

''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

Firewalls

2019-01-12T16:05:24Z

Kb3vwg: add ipset bogon config

Welcome to the Firewall Wiki.

This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at '''Administration > Commands > "Save Firewall"''' on the web GUI.

See:

* https://www.dd-wrt.com/wiki/index.php/Iptables
* https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding on the web GUI:

* Create a new Port Forward
* Enter the LAN IP of your AMPR node
* Select "Other"
* Type the number '''4''' into the field

== iptables ==

'''NOTE:'''

* On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall).
* Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.'''
* ''If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.''

'''General Bogon rules''' - see: https://en.wikipedia.org/wiki/Bogon_filtering

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
# Block of Test AMPRNet Subnet
# iptables -t raw -I PREROUTING -s 44.128.0.0/16 -i tunl0 -j DROP
# (you can optionally block your subnet)
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''NOTE:''

* ''This script needs work, see Thu Jan 10 11:09:27 PST 2019 message in the [[44Net mailing list]] archive. Due to overheard running on many devices, the ipset script is suggested instead.''
* This rule (or one of the ipset or static rules below) is required for other AMPR nodes to initiate inbound traffic to your node.

''REQUIRED:''
[[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

''Note:''
* This rule (the dynamic rule above, or the ipset rules) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

''To enable receipt of [[RIP]]44''

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

''Masquerade LAN Subnets to AMPRNet''

* In this instance, eth1 is your 192.168.1.0/24 LAN - (thanks to Brian, N1URO)
''See: https://n1uro.ampr.org/linuxconf/44nat.html''

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''General Bogon rules using ipset''' - see: https://en.wikipedia.org/wiki/Bogon_filtering

#######################BOGON FILTER ########################
ipset create bogons hash:net
# BOGON LIST
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
ipset -A bogons 0.0.0.0/8
ipset -A bogons 10.0.0.0/8
ipset -A bogons 100.64.0.0/10
ipset -A bogons 127.0.0.0/8
ipset -A bogons 169.254.0.0/16
ipset -A bogons 172.16.0.0/12
ipset -A bogons 192.0.0.0/24
ipset -A bogons 192.0.2.0/24
ipset -A bogons 192.168.0.0/16
ipset -A bogons 198.18.0.0/15
ipset -A bogons 198.51.100.0/24
ipset -A bogons 203.0.113.0/24
ipset -A bogons 224.0.0.0/4
ipset -A bogons 240.0.0.0/4
ipset -A bogons 44.60.44.0/24
# Block of Test AMPRNet Subnet
# ipset -A bogons 44.128.0.0/16

(you can optionally block your subnet)

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''REQUIRED:'' [[ampr-ripd]] (using the -x and -d arguments) and the ipset package.'''

#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /var/lib/ampr-ripd || exit 1

ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter <AMPRGW>

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done

== Microtik ==

== OpenWrt ==

''See: [[Firewalls#iptables|iptables]] and [[Firewalls#ipset|ipset]] (above), and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].''

* the Bogon ipset script is added to '''System > Startup''' on the web GUI - or into the Unified Configuration Interface (UCI) file ''/etc/rc.local''
* [[Firewalls#iptables|iptables]]-based scripts are entered at '''Network > Firewall > Custom Firewall''' on the LuCI web GUI interface - or into the Unified Configuration Interface (UCI) file ''/etc/firewall.user''
* [[Firewalls#ipset|ipset]]-based rules are entered on the command line - into the Unified Configuration Interface (UCI) file ''/etc/config/firewall'' ''(OpenWrt syntax must be used in this file!)''

''Adding Bogon drop rule to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option name 'Drop-Bogons_In_AMPRWAN'
option family 'ipv4'
option proto 'all'
option src 'amprwan'
option target 'DROP'
option extra '-m set --match-set bogons src'

''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

Firewalls

2019-01-11T17:57:30Z

Kb3vwg: cleanup

Welcome to the Firewall Wiki.

This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at '''Administration > Commands > "Save Firewall"''' on the web GUI.

See:

* https://www.dd-wrt.com/wiki/index.php/Iptables
* https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding on the web GUI:

* Create a new Port Forward
* Enter the LAN IP of your AMPR node
* Select "Other"
* Type the number '''4''' into the field

== iptables ==

'''NOTE:'''

* On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall).
* Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.'''
* ''If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.''

'''General Bogon rules''' - see: https://en.wikipedia.org/wiki/Bogon_filtering

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
# Block of Test AMPRNet Subnet
# iptables -t raw -I PREROUTING -s 44.128.0.0/16 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''NOTE:''

* ''This script needs work, see Thu Jan 10 11:09:27 PST 2019 message in the [[44Net mailing list]] archive. Due to overheard running on many devices, the ipset script is suggested instead.''
* This rule (or one of the ipset or static rules below) is required for other AMPR nodes to initiate inbound traffic to your node.

''REQUIRED:''
[[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

''Note:''
* This rule (the dynamic rule above, or the ipset rules) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

''To enable receipt of [[RIP]]44''

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

''Masquerade LAN Subnets to AMPRNet''

* In this instance, eth1 is your 192.168.1.0/24 LAN - (thanks to Brian, N1URO)
''See: https://n1uro.ampr.org/linuxconf/44nat.html''

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''REQUIRED:'' [[ampr-ripd]] (using the -x and -d arguments) and the ipset package.'''

#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /var/lib/ampr-ripd || exit 1

ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter <AMPRGW>

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done

== Microtik ==

== OpenWrt ==

''See: [[Firewalls#iptables|iptables]] and [[Firewalls#ipset|ipset]] (above), and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].''

* [[Firewalls#iptables|iptables]]-based rules are entered at '''Network > Firewall > Custom Firewall''' on the LuCI web GUI interface
* [[Firewalls#ipset|ipset]]-based rules are entered on the command line - into the Unified Configuration Interface (UCI) file ''/etc/config/firewall''

''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

Setting up a gateway on OpenWRT

2019-01-11T17:48:05Z

Kb3vwg: cleanup

This Wiki provides operators a straightforward method of configuring your OpenWrt device for use with the [[ARDC]] network.

== Running the [[RIP| RIP44 protocol]] ==
'''NOTE:'''

* To operate a [[Gateway]] on [[AMPRNet]], you must run software to obtain up-to-date route information - a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol named [[RIP| RIP44]] is used
* The implementation of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] and RIP44 '''[[RIP#What's the difference?|are not the same]]'''

''Therefore:''

* '''You must have access to a binary [https://en.wikipedia.org/wiki/Executable executable] of [[ampr-ripd]] that is compatible with the [https://en.wikipedia.org/wiki/Central_processing_unit CPU] in your OpenWrt device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must [https://en.wikipedia.org/wiki/Compiler compile] ampr-ripd yourself, or install the packages necessary to run [[rip44d]].'''
* '''[[ampr-ripd]]''' (written in C by YO2LOJ) is used in this Wiki example, as fewer prerequisite software are required (e.g. C++ library), compared to [[rip44d]]
* ''There is also an experimental [[RIP44.lua]] daemon which should run with standard packages''
* ''For information about compiling for OpenWrt devices, see:''
** [https://openwrt.org/docs/guide-developer/crosscompile Cross Compile - OpenWrt]
** [https://openwrt.org/docs/start OpenWrt Manual]

== Before we begin - assumptions ==

'''NOTE - ''' ''these instructions assume:''

* That you have been assigned AMPRNet IP address allocations that are properly claimed; and your [[Gateway]] IP or hostname configured on your account in the [[Portal]]
* '''That you have properly enabled DNS PTR records with your AMPRNet regional coordinator - this enables global IP addresses usage'''
* That you intend to configure your OpenWrt-based (version 14.07 or greater) AMPRNet [[Gateway]] to be a [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewall] for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN
* These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] scenario; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire)
* Since the OpenWrt Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets)
* Lastly, that the user:
** can navigate the default OpenWrt LuCI web-based graphical user interface locally; and that they are using a device capable of having the packages installed
** is familiar with the [https://en.wikipedia.org/wiki/Chmod chmod] command, and/or
** familiar with entering OpenWrt UCI (Unified Configuration Interface) commands by serial console or SSH.'''

== Setup and configuration of OpenWrt ==

'''Install:'''

* [https://openwrt.org/packages/pkgdata/kmod-ipip kmod-ipip]
* [https://openwrt.org/packages/pkgdata/ip-full ip-full]
* [https://openwrt.org/packages/pkgdata/libstdcpp libstdcpp]

'''Paste:'''

* '''[[ampr-ripd]]''' to '''/etc/config/''' (always run [[RIP| RIP44]] software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
* ''optional'' - dynamic firewall script to /etc/config/load_ipipfilter.sh (see the [[Firewalls#ipset|ipset]] section of the firewall wiki)
* the following to /etc/rc.local or on web GUI at'''System > Startup > Local Startup:'''

ip tunnel add tunl0
ip tunnel change tunl0 mode ipip ttl 64 tos inherit pmtudisc
ip link set tunl0 mtu 1480 up
'''# This directory is not persistent on OpenWrt, it must be made on boot for dynamic filtering
mkdir /var/lib/ampr-ripd
# A blank bootstrap file must be created at /etc/config/encap.txt for this to work
# Running '''touch /etc/config/encap.txt''' once can create it
# after which, you may run ampr-ripd to populate it
ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# Dynamic filter, script executed by -x argument
# Dynamic filter, -s argument creates encap.txt
'''# ./etc/config/ampr-ripd -p <PASSWORD> -s -t 44 -a <44.xxx.xxx.xxx/xx> -x ./etc/config/load_ipipfilter.sh &'''
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr

''AMPRNet Policy Routes''

# add IP Route to /etc/config/network

config route
option interface 'amprwan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway ''''<AMPRGW>''''
option onlink '1'
option table '44'

''AMPRNet Policy Rules''

# add IP Rules to /etc/config/network

#OPTIONAL AMPR TO LAN RULES (NUMBER 22-2X ACCORDINGLY)
config rule
option src '44.xxx.xxx.0/24'
option dest '192.168.xxx.0/24'
option priority '22'
option lookup 'main'

#ADD A MAIN RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY)
config rule
option dest '44.xxx.xxx.0/24'
option priority '44'
option lookup 'main'

### This ensures all traffic received on tunl0 uses table 44
config rule
option in 'amprwan'
option dest '0.0.0.0/0'
option priority '45'
option lookup '44'

###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44
config rule
option in 'amprnet'
option dest '0.0.0.0/0'
option priority '46'
option lookup '44'

### You must add an IP rule for all 44net IPs residing on the device
config rule
option src '44.xxx.xxx.0/24
option priority '47'
option lookup '44'

* '''reboot'''

== Enumerating tunnel/VLAN (AMPRWAN/AMPRLAN) Interfaces and firewall zones ==

''REMINDER: In OpenWrt 14.07 or lower - be sure to enable connection tracking if you will not masquerade.''

'''Interfaces'''

* Create an unmanaged Interface instance for tunl0 ('''AMPRWAN''') - '''set to not bring up on boot''', adding it to a new own firewall zone '''amprwan''' using
**Input: Drop (or Reject)
**Output: Drop (or Reject)
**Forward: Drop (or Reject)
* Create an interface instance for a new VLAN and bridge (AMPRNET). '''Assign an IP from your allocation to this interface - this will become the the Default Route/Gateway IP used on other 44 clients in your VLAN''' - add it to its own new firewall zone using
** Input: Accept (if you wish for you AMPRLAN devices to reach the router)
** Output: Accept; and
** Forward: Drop (or Reject, depending if you have other downstream routers in this VLAN)
* '''reboot'''

'''General Firewalling'''

* Permit forwarding from AMPRLAN to AMPRWAN and WAN (you must masquerade this traffic when using WAN)
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
* ''For IPENCAP in'' - create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router ''(or configure optional dynamic script above, see [[Firewalls#OpenWrt|Firewalls - OpenWrt]])''
** specify WAN IP instead of ''Any'' - if statically assigned by ISP
* ''For [[RIP| RIP44]] packets in'' - create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
* Create Traffic Forward rules for any inbound services (as desired)
* assign the new VLAN to any switch/trunk ports (as desired)
* make ampr-ripd and load_ipipfilter.sh executable using '''chmod +x'''

'''Lastly'''

* test ampr-ripd in console using the '''-d''' argument
* add password to the '''Local Startup''' entry and uncomment ampr-ripd line
* '''reboot'''

== See Also ==

* [[ampr-ripd]]
* [[Firewalls#OpenWrt|Firewalls - OpenWrt]]
* [[RIP44.lua]]
* https://openwrt.org/docs/guide-user/network/start

Ampr-ripd

2019-01-11T16:30:13Z

Kb3vwg: cleanup- moved notes from other pages regarding ampr-ripd to here

ampr-ripd is a GNU/Linux C daemon writen by Y02LOJ that listens for AMPRNet [[gateway]] announcements and can update routing tables based on the information it receives.

ampr-ripd source code and instructions can be found [http://www.yo2loj.ro/hamprojects/ here].

* [[ampr-ripd]] has been compiled for the AppliedMicro APM82181 and Atheros 71xx router CPUs
* Considering embedded devices such as [[Setting up a gateway on OpenWRT|OpenWrt]], the routing table is relatively small - so the performance or memory consumption of this daemon isn't very critical
* new [[Gateway]] operators should compile the source code if the do not have access to an executable copy of this software

Ampr-ripd

2019-01-11T16:07:30Z

Kb3vwg:

ampr-ripd is a GNU/Linux C daemon writen by Y02LOJ that listens for AMPRNet [[gateway]] announcements and can update routing tables based on the information it receives.

ampr-ripd source code and instructions can be found [http://www.yo2loj.ro/hamprojects/ here].

* [[ampr-ripd]] has been compiled for the AppliedMicro APM82181 and Atheros 71xx router CPUs
* new [[Gateway]] operators should compile the source code if the do not have access to an executable copy of this software

Archive/Main Page

2019-01-11T16:04:44Z

Kb3vwg: /* How to connect to AMPRNet */ added firewall link to main page

Welcome to the AMPRNet Wiki.

Since its allocation to Amateur Radio in the mid-1980's, Internet network 44 (44.0.0.0/8), known as the AMPRNet™, has been used by amateur radio operators to conduct scientific research and to experiment with digital communications over radio with a goal of advancing the state of the art of Amateur Radio networking, and to educate amateur radio operators in these techniques. - [http://www.ampr.org/ www.ampr.org]

__NOTOC__
== Starting points ==
* [[Quickstart]] guide for getting onto the [[AMPRNet]]
* Basic information about the [[AMPRNet]] and the [[ampr.org]] domain
* [[Services]] available on AMPRNet
* If you are looking to get an IP allocation within the 44/8 AMPRNet please read the [[Portal]] page.
* Frequently Asked Questions (FAQ) [[FAQ]]

== How to connect to AMPRNet ==

* Instructions for [[Setting up a gateway on Linux|setting up a Linux gateway]]
* Instructions for [[Setting up a gateway on OpenBSD|setting up an OpenBSD gateway]]
* Instructions for [[setting up a gateway on Cisco Routers|setting up a gateway on Cisco Routers]].
* Instructions for [[setting up a gateway on MikroTik Routers|setting up a gateway on MikroTik Routers]].
* Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].
* Instructions for [[setting up a gateway on Ubiquiti EdgeRouter|setting up a gateway on Ubiquiti EdgeRouter]].
* Instructions for [[setting up a gateway on a VyOS instance|setting up a gateway on a VyOS instance]].
* Instructions for [[announcing your allocation directly|directly announcing your allocation via your Internet Service Provider (ISP)]].
* Instructions for [[AMPRNet VPN|Accessing AMPRNet via VPN]] (experimental).
* [[Why can't I just route my AMPRNet allocation directly myself ?]]
* If you already operate a [[gateway]] please ensure you have registered on the [[portal]] and "claimed" your [[gateway]].
* After your gateway is operational, consider '''[[Firewalls]]''' and other best practices

== Mailing List ==
To keep up-to-date on AMPRNet information please consider joining the [[44Net mailing list]].

== Contribute! ==
If you wish to contribute to the wiki, please send an email to <tt>wiki (at) ampr.org</tt> introducing yourself. Please specify your full name, amateur radio callsign and your preferred username. A login will then be created for you.

== Terms of Service ==
Use of 44.0.0.0/8 address space is governed by these [http://www.ampr.org/terms-of-service/ Terms of Service]

== All Pages ==
[http://wiki.ampr.org/wiki/Special:AllPages Here's a list of all pages currently on the AMPRNet Wiki]

Firewalls

2019-01-11T15:51:50Z

Kb3vwg: /* OpenWrt */ moved OpenWrt rules here

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"

https://www.dd-wrt.com/wiki/index.php/Iptables

https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding

# Create a new Port Forward
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field

== iptables ==

'''General Bogon rules''' - see: https://en.wikipedia.org/wiki/Bogon_filtering

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
# Block of Test AMPRNet Subnet
# iptables -t raw -I PREROUTING -s 44.128.0.0/16 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''NOTE:''

* ''This script needs work, see Thu Jan 10 11:09:27 PST 2019 message in the [[44Net mailing list]] archive. Due to overheard running on many devices, the ipset script is suggested instead.''
* This rule (or one of the ipset or static rules below) is required for other AMPR nodes to initiate inbound traffic to your node.

''REQUIRED:''
[[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

''Note:''
* This rule (the dynamic rule above, or the ipset rules) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

''To enable receipt of [[RIP]]44''

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

''Masquerade LAN Subnets to AMPRNet''

* In this instance, eth1 is your 192.168.1.0/24 LAN - (thanks to Brian, N1URO)
''See: https://n1uro.ampr.org/linuxconf/44nat.html''

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''REQUIRED:'' [[ampr-ripd]] (using the -x and -d arguments) and the ipset package.'''

#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /var/lib/ampr-ripd || exit 1

ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter <AMPRGW>

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done

== Microtik ==

== OpenWrt ==

''See: [[Firewalls#iptables|iptables]] and [[Firewalls#ipset|ipset]] (above), and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].''

* [[Firewalls#iptables|iptables]]-based rules are entered at '''Network > Firewall > Custom Firewall''' on the LuCI web GUI interface
* [[Firewalls#ipset|ipset]]-based rules are entered on the command line - into the Unified Configuration Interface (UCI) file ''/etc/config/firewall''

''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using [[Firewalls#ipset|ipset]])''

# in /etc/config/firewall
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

Firewalls

2019-01-11T15:35:38Z

Kb3vwg: /* ipset */ cleanup

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"

https://www.dd-wrt.com/wiki/index.php/Iptables

https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding

# Create a new Port Forward
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field

== iptables ==

'''General Bogon rules''' - see: https://en.wikipedia.org/wiki/Bogon_filtering

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
# Block of Test AMPRNet Subnet
# iptables -t raw -I PREROUTING -s 44.128.0.0/16 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''NOTE:''

* ''This script needs work, see Thu Jan 10 11:09:27 PST 2019 message in the [[44Net mailing list]] archive. Due to overheard running on many devices, the ipset script is suggested instead.''
* This rule (or one of the ipset or static rules below) is required for other AMPR nodes to initiate inbound traffic to your node.

''REQUIRED:''
[[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

''Note:''
* This rule (the dynamic rule above, or the ipset rules) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

''To enable receipt of [[RIP]]44''

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

''Masquerade LAN Subnets to AMPRNet''

* In this instance, eth1 is your 192.168.1.0/24 LAN - (thanks to Brian, N1URO)
''See: https://n1uro.ampr.org/linuxconf/44nat.html''

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''REQUIRED:'' [[ampr-ripd]] (using the -x and -d arguments) and the ipset package.'''

#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /var/lib/ampr-ripd || exit 1

ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter <AMPRGW>

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done

== Microtik ==

== OpenWRT ==

See: iptables and ipset (above), and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].

iptables-based rules can be entered in Network > Firewall > Custom Firewall on the LuCI web interface; or via the command prompt via UCI.

Firewalls

2019-01-11T15:32:01Z

Kb3vwg: /* iptables */ cleanup

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"

https://www.dd-wrt.com/wiki/index.php/Iptables

https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding

# Create a new Port Forward
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field

== iptables ==

'''General Bogon rules''' - see: https://en.wikipedia.org/wiki/Bogon_filtering

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
# Block of Test AMPRNet Subnet
# iptables -t raw -I PREROUTING -s 44.128.0.0/16 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

''NOTE:''

* ''This script needs work, see Thu Jan 10 11:09:27 PST 2019 message in the [[44Net mailing list]] archive. Due to overheard running on many devices, the ipset script is suggested instead.''
* This rule (or one of the ipset or static rules below) is required for other AMPR nodes to initiate inbound traffic to your node.

''REQUIRED:''
[[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

''Note:''
* This rule (the dynamic rule above, or the ipset rules) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

''To enable receipt of [[RIP]]44''

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

''Masquerade LAN Subnets to AMPRNet''

* In this instance, eth1 is your 192.168.1.0/24 LAN - (thanks to Brian, N1URO)
''See: https://n1uro.ampr.org/linuxconf/44nat.html''

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments) and the ipset package.'''

#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /var/lib/ampr-ripd || exit 1

ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter <AMPRGW>

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done

'''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

'''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

== Microtik ==

== OpenWRT ==

See: iptables and ipset (above), and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].

iptables-based rules can be entered in Network > Firewall > Custom Firewall on the LuCI web interface; or via the command prompt via UCI.

Firewalls

2019-01-11T15:14:33Z

Kb3vwg: /* OpenWRT */

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"

https://www.dd-wrt.com/wiki/index.php/Iptables

https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding

# Create a new Port Forward
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field

== iptables ==

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables) NOTE: this script needs work, see Thu Jan 10 11:09:27 PST 2019 message in the [[44Net mailing list]] archive. Due to overheard running on many devices, the ipset script is suggested instead.'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the static rule below) is required for other AMPR nodes to initiate inbound traffic to your node.'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the dynamic rule above) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

To enable receipt of [[RIP]]44

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

'''Masquerade LAN Subnets to AMPRNet'''

In this instance, eth1 is your 192.168.1.0/24 LAN
(thanks to Brian, N1URO)

see: https://n1uro.ampr.org/linuxconf/44nat.html

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments) and the ipset package.'''

#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /var/lib/ampr-ripd || exit 1

ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter <AMPRGW>

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done

'''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

'''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

== Microtik ==

== OpenWRT ==

See: iptables and ipset (above), and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].

iptables-based rules can be entered in Network > Firewall > Custom Firewall on the LuCI web interface; or via the command prompt via UCI.

Firewalls

2019-01-11T13:39:03Z

Kb3vwg: /* ipset */ directly use AMPGW IP in script

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"

https://www.dd-wrt.com/wiki/index.php/Iptables

https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding

# Create a new Port Forward
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field

== iptables ==

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables) NOTE: this script needs work, see Thu Jan 10 11:09:27 PST 2019 message in the [[44Net mailing list]] archive. Due to overheard running on many devices, the ipset script is suggested instead.'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the static rule below) is required for other AMPR nodes to initiate inbound traffic to your node.'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the dynamic rule above) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

To enable receipt of [[RIP]]44

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

'''Masquerade LAN Subnets to AMPRNet'''

In this instance, eth1 is your 192.168.1.0/24 LAN
(thanks to Brian, N1URO)

see: https://n1uro.ampr.org/linuxconf/44nat.html

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments) and the ipset package.'''

#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /var/lib/ampr-ripd || exit 1

ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter <AMPRGW>

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done

'''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

'''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

== Microtik ==

== OpenWRT ==

See: iptables (above) and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].

iptables-based rules can be entered in Network > Firewall > Custom Firewall on the LuCI web interface; or via the command prompt via UCI.

Firewalls

2019-01-11T01:49:14Z

Kb3vwg: add notes about ipset script and edit some requirement sections

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"

https://www.dd-wrt.com/wiki/index.php/Iptables

https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding

# Create a new Port Forward
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field

== iptables ==

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables) NOTE: this script needs work, see Thu Jan 10 11:09:27 PST 2019 message in the [[44Net mailing list]] archive. Due to overheard running on many devices, the ipset script is suggested instead.'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the static rule below) is required for other AMPR nodes to initiate inbound traffic to your node.'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the dynamic rule above) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

To enable receipt of [[RIP]]44

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

'''Masquerade LAN Subnets to AMPRNet'''

In this instance, eth1 is your 192.168.1.0/24 LAN
(thanks to Brian, N1URO)

see: https://n1uro.ampr.org/linuxconf/44nat.html

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments) and the ipset package.'''

#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="<AMPRGW>"

cd /var/lib/ampr-ripd || exit 1

ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter $AMPRGW

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done

'''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

'''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

== Microtik ==

== OpenWRT ==

See: iptables (above) and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].

iptables-based rules can be entered in Network > Firewall > Custom Firewall on the LuCI web interface; or via the command prompt via UCI.

Setting up a gateway on OpenWRT

2019-01-11T01:37:38Z

Kb3vwg: removed diffutils prequsite - unneeded

[[ampr-ripd]] has been compiled for the AppliedMicro APM82181 and Atheros 71xx router CPUs

'''NOTE: To operate a [[Gateway]] on [[AMPRNet]], you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol, named [[RIP]]44 is used. [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] is not the same as [[RIP]]44.''' [[rip44d]] is written in the Perl programming language by Heikki Hannikainen, OH7LZB. [[ampr-ripd]] is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. [[ampr-ripd]] is used in this instance, so no other prerequisite software is required to run the [[RIP]]44 daemon.

* '''You must have access to a binary [https://en.wikipedia.org/wiki/Executable executable] of [[ampr-ripd]] that is compatible with the [https://en.wikipedia.org/wiki/Central_processing_unit CPU] in your OpenWRT device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must [https://en.wikipedia.org/wiki/Compiler compile] ampr-ripd yourself, or install the packages necessary to run [[rip44d]].'''

There is also an experimental LUA daemon at [[RIP44.lua]] which should run with standard packages.

== '''See''' ==

* [https://openwrt.org/docs/guide-developer/crosscompile Cross Compile - OpenWRT]
* [https://openwrt.org/docs/start OpenWRT Manual]

== Summary ==

'''NOTE: These instructions assume first that you have been assigned AMPRNet IP address allocations that are properly assigned and configured to your account in the [[Portal]]. Next, that you intend to configure your OpenWRT-based (version 14.07 or greater) AMPRNet [[Gateway]] to be a [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewall] for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN. These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] sernario; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire). Since the OpenWRT Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets). Lastly, it assumes that the user can navigate the default OpenWRT LuCI web-based graphical user interface locally (and that they are using a device capable of having the package installed), are familiar with the [https://en.wikipedia.org/wiki/Chmod chmod] command, and/or familiar with entering OpenWRT UCI (Unified Configuration Interface) commands by serial console or SSH.'''

Install:

* kmod-ipip
* ip-full
* libstdcpp
* [[ampr-ripd]] to '''/etc/config/''' (always run [[RIP]]44 software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
* (optional) dynamic firewall script to /etc/config/load_ipipfilter.sh (see the iptables section of the [[Firewalls]] wiki)
* the following to '''System > Startup > Local Startup:'''

ip tunnel add tunl0
ip tunnel change tunl0 mode ipip ttl 64 tos inherit pmtudisc
ip link set tunl0 mtu 1480 up
'''# This directory is not persistent on OpenWRT, it must be made on boot for dynamic filtering
mkdir /var/lib/ampr-ripd
# A blank bootstrap file must be created at /etc/config/encap.txt for this to work
# Running '''touch /etc/config/encap.txt''' once can create it
# after which, you may run ampr-ripd to populate it
ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# Dynamic filter, script executed by -x argument
# Dynamic filter, -s argument creates encap.txt
'''# ./etc/config/ampr-ripd -p <PASSWORD> -s -t 44 -a <44.xxx.xxx.xxx/xx> -x ./etc/config/load_ipipfilter.sh &'''
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr

'''UPDATE 2018 (routes and rules have been added to the UCI):'''

# add IP Route to /etc/config/network

config route
option interface 'amprwan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway ''''<AMPRGW>''''
option onlink '1'
option table '44'

# add IP Rules to /etc/config/network

#OPTIONAL AMPR TO LAN RULES (NUMBER 22-2X ACCORDINGLY)
config rule
option src '44.xxx.xxx.0/24'
option dest '192.168.xxx.0/24'
option priority '22'
option lookup 'main'

#ADD A MAIN RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY)
config rule
option dest '44.xxx.xxx.0/24'
option priority '44'
option lookup 'main'

### This ensures all traffic received on tunl0 uses table 44
config rule
option in 'amprwan'
option dest '0.0.0.0/0'
option priority '45'
option lookup '44'

###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44
config rule
option in 'amprnet'
option dest '0.0.0.0/0'
option priority '46'
option lookup '44'

### You must add an IP rule for all 44net IPs residing on the device
config rule
option src '44.xxx.xxx.0/24
option priority '47'
option lookup '44'

* '''reboot'''
* create an unmanaged Interface instance for tunl0 ('''AMPRWAN''') '''(set to not bring up on boot)''', adding it to its own firewall zone '''amprwan''' using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). '''(OpenWRT 14.07 or lower - Be sure to enable connection tracking if you will not masquerade)'''
* an interface instance for a new VLAN and bridge (the example above uses AMPRNET), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). '''Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.'''
* '''reboot'''
* Permit forwarding from AMPRLAN to AMPRWAN and WAN (you must masquerade this traffic when using WAN)
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
* Create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or specify WAN IP if statically assigned)
* Create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
* Create Traffic Forward rules for any inbound services (as desired)
* the VLAN to any switch/trunk ports (as desired)
* make ampr-ripd and load_ipipfilter.sh executable using '''chmod +x'''
* test ampr-ripd in console using the '''-d''' argument
* add password to the '''Local Startup''' entry and uncomment ampr-ripd line
* '''reboot'''

Firewalls

2019-01-11T01:33:01Z

Kb3vwg: edit to ipset section

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"

https://www.dd-wrt.com/wiki/index.php/Iptables

https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding

# Create a new Port Forward
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field

== iptables ==

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the static rule below) is required for other AMPR nodes to initiate inbound traffic to your node.'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the dynamic rule above) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

To enable receipt of [[RIP]]44

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

'''Masquerade LAN Subnets to AMPRNet'''

In this instance, eth1 is your 192.168.1.0/24 LAN
(thanks to Brian, N1URO)

see: https://n1uro.ampr.org/linuxconf/44nat.html

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

On OpenWrt, install ipset.

#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="<AMPRGW>"

cd /var/lib/ampr-ripd || exit 1

ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter $AMPRGW

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done

'''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

'''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

== Microtik ==

== OpenWRT ==

See: iptables (above) and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].

iptables-based rules can be entered in Network > Firewall > Custom Firewall on the LuCI web interface; or via the command prompt via UCI.

Firewalls

2019-01-10T18:18:46Z

Kb3vwg: removed "if [ $? -eq 0 ]" from ipset-based dynamic filter

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"

https://www.dd-wrt.com/wiki/index.php/Iptables

https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding

# Create a new Port Forward
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field

== iptables ==

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the static rule below) is required for other AMPR nodes to initiate inbound traffic to your node.'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the dynamic rule above) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

To enable receipt of [[RIP]]44

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

'''Masquerade LAN Subnets to AMPRNet'''

In this instance, eth1 is your 192.168.1.0/24 LAN
(thanks to Brian, N1URO)

see: https://n1uro.ampr.org/linuxconf/44nat.html

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

On OpenWrt, install diffutils and ipset.

#!/bin/sh
# load encap.txt into ipipfilter list

#on the incoming interface:
# iptables -t filter -I INPUT -p 4 -i eth0.2 -m set --set ipipfilter src -j ACCEPT

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

if ipset -N ipipfilter hash:ip 2>/dev/null
then
ipset flush ipipfilter
ipset -A ipipfilter $AMPRGW

while read ip
do
ipset -A ipipfilter $ip
done <$gwfile

else
ipset flush ipipfilter
ipset -A ipipfilter $AMPRGW

while read ip
do
ipset -A ipipfilter $ip
done <$gwfile

fi

rm -f $gwfile

'''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

'''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

== Microtik ==

== OpenWRT ==

See: iptables (above) and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].

iptables-based rules can be entered in Network > Firewall > Custom Firewall on the LuCI web interface; or via the command prompt via UCI.

RIP

2018-10-02T19:34:05Z

Kb3vwg: added detailed differences and explanations of the protocol from Marius, YO2LOJ

Information about other AMPRNet [[gateway| gateways]] can now be received dynamically via modified [http://en.wikipedia.org/wiki/Routing_Information_Protocol RIPv2] advertisements. Previously, routes were obtained by creating a [[munge script]] that parsed [[Encap.txt]].

= What's the difference? =

There is a big difference in how the packets are processed.

The regular RIPv2 sets a route to a specific subnet via the sender and
interface where the RIP broadcast was received on. The gateway
information is used only as an optimization element, in case a route
with to that gateway already exists so that the one with the lower
metric gets chosen.

In our case, we use the RIP announcements to transport the subnet AND
gateway information.

= Detailed description =

So, assuming a point to multipoint interface, if there is let's say an
announcement 44.128.0.0/24 via 1.2.3.4 coming from 44.0.0.1 on the ipip0
interface, regular RIPv2 would translate this to:

44.128.0.0/24 via 44.0.0.1 if ipip0

while ampr rip would translate this to:

44.128.0.0/24 via 1.2.3.4 if ipip0

In the first case, traffic to 44.128.0.0/24 is sent directly to the
gateway (the RIP sender), while in the second case it is encapsulated to
1.2.3.4.

On a mikrotik router it even goes a step further:
it creates a ipip tunnel interface, ampr-1.2.3.4 to 1.2.3.4 and creates
a route

44.128.0.0/24 via ampr-1.2.3.4

This is the processing in the usual case, for 44 subnets having a 44net
gateway we assume that the gateway is published by BGP and is directly
reachable, so for a announcement like 44.128.0.0/24 via 44.128.0.1 there
are 2 route set:

44.128.0.1 via default-gw (which is autodetected), and
44.128.0.0/24 via 44.128.0.1 if ipip0 to do the encapsulation

So, while the information structure in both cases conforms to the RIPv2
specifications, its usage is completely different.

= RIP44 Daemons =

Two programs are available for GNU/Linux to utilize these updates:

* [[ampr-ripd]], a C based routing daemon
* [[rip44d]], a PERL based routing daemon

= Availability/Compatibility =

The RIP44 daemons have been tested and known to work on the following operating systems:

* BSD
* OpenWRT/LEDE
* Raspbian
* Slackware Linux
* Ubuntu/Debian Linux
* Vyatta/VyOS

= Non-RIP44 Workarounds =

The devices below do not possess a known, end-user method to install additional software (i.e. ampr-ripd). Operators have developed scripts to parse inbound routing packets to make them compatible for usage on AMPRNet:

* Cisco IOS (a separate machine must run the script) : look here http://wiki.ampr.org/wiki/Setting_up_a_gateway_on_Cisco_Routers at the "Making the route commands automatically" section
* JunOS
* MikroTik : look here http://www.yo2loj.ro/hamprojects/ at the "Mikrotik RIPv2 AMPR Gateway Setup Script 3.0"
* Ubiquiti OS

= See Also =

* [[startampr]] - a script that loads the routing daemon on boot on Linux server-type devices
* Instructions for [[setting up a gateway on Linux|setting up a tunnel gateway on Linux]]
* Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]]

Firewalls

2018-09-22T00:55:45Z

Kb3vwg: moved comment in ipset meant for iptables, as ipset is fully flushed in the script

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"

https://www.dd-wrt.com/wiki/index.php/Iptables

https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding

# Create a new Port Forward
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field

== iptables ==

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the static rule below) is required for other AMPR nodes to initiate inbound traffic to your node.'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the dynamic rule above) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

To enable receipt of [[RIP]]44

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

'''Masquerade LAN Subnets to AMPRNet'''

In this instance, eth1 is your 192.168.1.0/24 LAN
(thanks to Brian, N1URO)

see: https://n1uro.ampr.org/linuxconf/44nat.html

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

On OpenWrt, install diffutils and ipset.

#!/bin/sh
# load encap.txt into ipipfilter list

#on the incoming interface:
# iptables -t filter -I INPUT -p 4 -i eth0.2 -m set --set ipipfilter src -j ACCEPT

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

ipset -N ipipfilter hash:ip 2>/dev/null
if [ $? -eq 0 ]
then
ipset flush ipipfilter
ipset -A ipipfilter $AMPRGW

while read ip
do
ipset -A ipipfilter $ip
done <$gwfile

else
ipset flush ipipfilter
ipset -A ipipfilter $AMPRGW

while read ip
do
ipset -A ipipfilter $ip
done <$gwfile

fi

rm -f $gwfile

'''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

'''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

== Microtik ==

== OpenWRT ==

See: iptables (above) and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].

iptables-based rules can be entered in Network > Firewall > Custom Firewall on the LuCI web interface; or via the command prompt via UCI.

Firewalls

2018-09-22T00:51:35Z

Kb3vwg: /* ipset */ add sample OpenWrt rules

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"

https://www.dd-wrt.com/wiki/index.php/Iptables

https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding

# Create a new Port Forward
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field

== iptables ==

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the static rule below) is required for other AMPR nodes to initiate inbound traffic to your node.'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the dynamic rule above) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

To enable receipt of [[RIP]]44

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

'''Masquerade LAN Subnets to AMPRNet'''

In this instance, eth1 is your 192.168.1.0/24 LAN
(thanks to Brian, N1URO)

see: https://n1uro.ampr.org/linuxconf/44nat.html

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

On OpenWrt, install diffutils and ipset.

#!/bin/sh
# load encap.txt into ipipfilter list

#on the incoming interface:
# iptables -t filter -I INPUT -p 4 -i eth0.2 -m set --set ipipfilter src -j ACCEPT

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

ipset -N ipipfilter hash:ip 2>/dev/null
if [ $? -eq 0 ]
then
ipset flush ipipfilter
ipset -A ipipfilter $AMPRGW

while read ip
do
ipset -A ipipfilter $ip
done <$gwfile

else
ipset flush ipipfilter
ipset -A ipipfilter $AMPRGW

while read ip
do
ipset -A ipipfilter $ip
done <$gwfile

fi

rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

'''Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto '4'
option name 'Allow-AMPR_IPENCAP'
option extra '-m set --match-set ipipfilter src'

'''Adding ICMP Filtering of AMPR Nodes to OpenWrt (using ipset)'''

config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option extra '-m set --match-set ipipfilter src'
option name 'Ping_fromIPENCAPS'

== Microtik ==

== OpenWRT ==

See: iptables (above) and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].

iptables-based rules can be entered in Network > Firewall > Custom Firewall on the LuCI web interface; or via the command prompt via UCI.

Firewalls

2018-09-22T00:38:29Z

Kb3vwg: add ipset script

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"

https://www.dd-wrt.com/wiki/index.php/Iptables

https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding

# Create a new Port Forward
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field

== iptables ==

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the static rule below) is required for other AMPR nodes to initiate inbound traffic to your node.'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the dynamic rule above) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

To enable receipt of [[RIP]]44

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

'''Masquerade LAN Subnets to AMPRNet'''

In this instance, eth1 is your 192.168.1.0/24 LAN
(thanks to Brian, N1URO)

see: https://n1uro.ampr.org/linuxconf/44nat.html

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== ipset ==

'''Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)'''

On OpenWrt, install diffutils and ipset.

#!/bin/sh
# load encap.txt into ipipfilter list

#on the incoming interface:
# iptables -t filter -I INPUT -p 4 -i eth0.2 -m set --set ipipfilter src -j ACCEPT

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="'''<AMPRGW>'''"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

ipset -N ipipfilter hash:ip 2>/dev/null
if [ $? -eq 0 ]
then
ipset flush ipipfilter
ipset -A ipipfilter $AMPRGW

while read ip
do
ipset -A ipipfilter $ip
done <$gwfile

else
ipset flush ipipfilter
ipset -A ipipfilter $AMPRGW

while read ip
do
ipset -A ipipfilter $ip
done <$gwfile

fi

rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd. It will load the entire filter the first time, and later it will only update
# the filters that have changed. It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

== Microtik ==

== OpenWRT ==

See: iptables (above) and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].

iptables-based rules can be entered in Network > Firewall > Custom Firewall on the LuCI web interface; or via the command prompt via UCI.

Setting up a gateway on OpenWRT

2018-05-03T02:11:33Z

Kb3vwg: /* Summary */ added inherit tos tags on packets leaving tunnel

[[ampr-ripd]] has been compiled for the AppliedMicro APM82181 and Atheros 71xx router CPUs

'''NOTE: To operate a [[Gateway]] on [[AMPRNet]], you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol, named [[RIP]]44 is used. [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] is not the same as [[RIP]]44.''' [[rip44d]] is written in the Perl programming language by Heikki Hannikainen, OH7LZB. [[ampr-ripd]] is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. [[ampr-ripd]] is used in this instance, so no other prerequisite software is required to run the [[RIP]]44 daemon.

* '''You must have access to a binary [https://en.wikipedia.org/wiki/Executable executable] of [[ampr-ripd]] that is compatible with the [https://en.wikipedia.org/wiki/Central_processing_unit CPU] in your OpenWRT device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must [https://en.wikipedia.org/wiki/Compiler compile] ampr-ripd yourself, or install the packages necessary to run [[rip44d]].'''

== '''See''' ==

* [https://openwrt.org/docs/guide-developer/crosscompile Cross Compile - OpenWRT]
* [https://openwrt.org/docs/start OpenWRT Manual]

== Summary ==

'''NOTE: These instructions assume first that you have been assigned AMPRNet IP address allocations that are properly assigned and configured to your account in the [[Portal]]. Next, that you intend to configure your OpenWRT-based (version 14.07 or greater) AMPRNet [[Gateway]] to be a [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewall] for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN. These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] sernario; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire). Since the OpenWRT Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets). Lastly, it assumes that the user can navigate the default OpenWRT LuCI web-based graphical user interface locally (and that they are using a device capable of having the package installed), are familiar with the [https://en.wikipedia.org/wiki/Chmod chmod] command, and/or familiar with entering OpenWRT UCI (Unified Configuration Interface) commands by serial console or SSH.'''

Install:

* kmod-ipip
* ip-full
* libstdcpp
* [[ampr-ripd]] to '''/etc/config/''' (always run [[RIP]]44 software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
* diffutils (optional for dynamic IP filtering)
* (optional) dynamic firewall script to /etc/config/load_ipipfilter.sh (see the iptables section of the [[Firewalls]] wiki)
* the following to '''System > Startup > Local Startup:'''

ip tunnel add tunl0
ip tunnel change tunl0 mode ipip ttl 64 tos inherit pmtudisc
ip link set tunl0 mtu 1480 up
'''# This directory is not persistent on OpenWRT, it must be made on boot for dynamic filtering
mkdir /var/lib/ampr-ripd
# A blank bootstrap file must be created at /etc/config/encap.txt for this to work
# Running '''touch /etc/config/encap.txt''' once can create it
# after which, you may run ampr-ripd to populate it
ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# Dynamic filter, script executed by -x argument
# Dynamic filter, -s argument creates encap.txt
'''# ./etc/config/ampr-ripd -p <PASSWORD> -s -t 44 -a <44.xxx.xxx.xxx/xx> -x ./etc/config/load_ipipfilter.sh &'''
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr

'''UPDATE 2018 (routes and rules have been added to the UCI):'''

# add IP Route to /etc/config/network

config route
option interface 'amprwan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway ''''<AMPRGW>''''
option onlink '1'
option table '44'

# add IP Rules to /etc/config/network

#OPTIONAL AMPR TO LAN RULES (NUMBER 22-2X ACCORDINGLY)
config rule
option src '44.xxx.xxx.0/24'
option dest '192.168.xxx.0/24'
option priority '22'
option lookup 'main'

#ADD A MAIN RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY)
config rule
option dest '44.xxx.xxx.0/24'
option priority '44'
option lookup 'main'

### This ensures all traffic received on tunl0 uses table 44
config rule
option in 'amprwan'
option dest '0.0.0.0/0'
option priority '45'
option lookup '44'

###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44
config rule
option in 'amprnet'
option dest '0.0.0.0/0'
option priority '46'
option lookup '44'

### You must add an IP rule for all 44net IPs residing on the device
config rule
option src '44.xxx.xxx.0/24
option priority '47'
option lookup '44'

* '''reboot'''
* create an unmanaged Interface instance for tunl0 ('''AMPRWAN''') '''(set to not bring up on boot)''', adding it to its own firewall zone '''amprwan''' using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). '''(OpenWRT 14.07 or lower - Be sure to enable connection tracking if you will not masquerade)'''
* an interface instance for a new VLAN and bridge (the example above uses AMPRNET), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). '''Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.'''
* '''reboot'''
* Permit forwarding from AMPRLAN to AMPRWAN and WAN (you must masquerade this traffic when using WAN)
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
* Create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or specify WAN IP if statically assigned)
* Create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
* Create Traffic Forward rules for any inbound services (as desired)
* the VLAN to any switch/trunk ports (as desired)
* make ampr-ripd and load_ipipfilter.sh executable using '''chmod +x'''
* test ampr-ripd in console using the '''-d''' argument
* add password to the '''Local Startup''' entry and uncomment ampr-ripd line
* '''reboot'''

Setting up a gateway on OpenWRT

2018-05-01T21:18:04Z

Kb3vwg: /* See */ updated OpenWRT crosscompile link

[[ampr-ripd]] has been compiled for the AppliedMicro APM82181 and Atheros 71xx router CPUs

'''NOTE: To operate a [[Gateway]] on [[AMPRNet]], you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol, named [[RIP]]44 is used. [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] is not the same as [[RIP]]44.''' [[rip44d]] is written in the Perl programming language by Heikki Hannikainen, OH7LZB. [[ampr-ripd]] is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. [[ampr-ripd]] is used in this instance, so no other prerequisite software is required to run the [[RIP]]44 daemon.

* '''You must have access to a binary [https://en.wikipedia.org/wiki/Executable executable] of [[ampr-ripd]] that is compatible with the [https://en.wikipedia.org/wiki/Central_processing_unit CPU] in your OpenWRT device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must [https://en.wikipedia.org/wiki/Compiler compile] ampr-ripd yourself, or install the packages necessary to run [[rip44d]].'''

== '''See''' ==

* [https://openwrt.org/docs/guide-developer/crosscompile Cross Compile - OpenWRT]
* [https://openwrt.org/docs/start OpenWRT Manual]

== Summary ==

'''NOTE: These instructions assume first that you have been assigned AMPRNet IP address allocations that are properly assigned and configured to your account in the [[Portal]]. Next, that you intend to configure your OpenWRT-based (version 14.07 or greater) AMPRNet [[Gateway]] to be a [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewall] for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN. These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] sernario; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire). Since the OpenWRT Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets). Lastly, it assumes that the user can navigate the default OpenWRT LuCI web-based graphical user interface locally (and that they are using a device capable of having the package installed), are familiar with the [https://en.wikipedia.org/wiki/Chmod chmod] command, and/or familiar with entering OpenWRT UCI (Unified Configuration Interface) commands by serial console or SSH.'''

Install:

* kmod-ipip
* ip-full
* libstdcpp
* [[ampr-ripd]] to '''/etc/config/''' (always run [[RIP]]44 software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
* diffutils (optional for dynamic IP filtering)
* (optional) dynamic firewall script to /etc/config/load_ipipfilter.sh (see the iptables section of the [[Firewalls]] wiki)
* the following to '''System > Startup > Local Startup:'''

ip tunnel add tunl0
ip tunnel change tunl0 mode ipip ttl 64 pmtudisc
ip link set tunl0 mtu 1480 up
'''# This directory is not persistent on OpenWRT, it must be made on boot for dynamic filtering
mkdir /var/lib/ampr-ripd
# A blank bootstrap file must be created at /etc/config/encap.txt for this to work
# Running '''touch /etc/config/encap.txt''' once can create it
# after which, you may run ampr-ripd to populate it
ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# Dynamic filter, script executed by -x argument
# Dynamic filter, -s argument creates encap.txt
'''# ./etc/config/ampr-ripd -p <PASSWORD> -s -t 44 -a <44.xxx.xxx.xxx/xx> -x ./etc/config/load_ipipfilter.sh &'''
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr

'''UPDATE 2018 (routes and rules have been added to the UCI):'''

# add IP Route to /etc/config/network

config route
option interface 'amprwan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway ''''<AMPRGW>''''
option onlink '1'
option table '44'

# add IP Rules to /etc/config/network

#OPTIONAL AMPR TO LAN RULES (NUMBER 22-2X ACCORDINGLY)
config rule
option src '44.xxx.xxx.0/24'
option dest '192.168.xxx.0/24'
option priority '22'
option lookup 'main'

#ADD A MAIN RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY)
config rule
option dest '44.xxx.xxx.0/24'
option priority '44'
option lookup 'main'

### This ensures all traffic received on tunl0 uses table 44
config rule
option in 'amprwan'
option dest '0.0.0.0/0'
option priority '45'
option lookup '44'

###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44
config rule
option in 'amprnet'
option dest '0.0.0.0/0'
option priority '46'
option lookup '44'

### You must add an IP rule for all 44net IPs residing on the device
config rule
option src '44.xxx.xxx.0/24
option priority '47'
option lookup '44'

* '''reboot'''
* create an unmanaged Interface instance for tunl0 ('''AMPRWAN''') '''(set to not bring up on boot)''', adding it to its own firewall zone '''amprwan''' using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). '''(OpenWRT 14.07 or lower - Be sure to enable connection tracking if you will not masquerade)'''
* an interface instance for a new VLAN and bridge (the example above uses AMPRNET), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). '''Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.'''
* '''reboot'''
* Permit forwarding from AMPRLAN to AMPRWAN and WAN (you must masquerade this traffic when using WAN)
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
* Create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or specify WAN IP if statically assigned)
* Create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
* Create Traffic Forward rules for any inbound services (as desired)
* the VLAN to any switch/trunk ports (as desired)
* make ampr-ripd and load_ipipfilter.sh executable using '''chmod +x'''
* test ampr-ripd in console using the '''-d''' argument
* add password to the '''Local Startup''' entry and uncomment ampr-ripd line
* '''reboot'''

Setting up a gateway on OpenWRT

2018-05-01T15:35:25Z

Kb3vwg: Updated link to OpenWRT manual. Moved IP rules and IP routes to the OpenWRT Unified Configuration Interface (UCI) system. Also changed Virtual Routing and Forwarding terminology to policy-based routing to be more accurate.

[[ampr-ripd]] has been compiled for the AppliedMicro APM82181 and Atheros 71xx router CPUs

'''NOTE: To operate a [[Gateway]] on [[AMPRNet]], you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol, named [[RIP]]44 is used. [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] is not the same as [[RIP]]44.''' [[rip44d]] is written in the Perl programming language by Heikki Hannikainen, OH7LZB. [[ampr-ripd]] is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. [[ampr-ripd]] is used in this instance, so no other prerequisite software is required to run the [[RIP]]44 daemon.

* '''You must have access to a binary [https://en.wikipedia.org/wiki/Executable executable] of [[ampr-ripd]] that is compatible with the [https://en.wikipedia.org/wiki/Central_processing_unit CPU] in your OpenWRT device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must [https://en.wikipedia.org/wiki/Compiler compile] ampr-ripd yourself, or install the packages necessary to run [[rip44d]].'''

== '''See''' ==

* [http://wiki.openwrt.org/doc/devel/crosscompile Cross Compile - OpenWRT]
* [https://openwrt.org/docs/start OpenWRT Manual]

== Summary ==

'''NOTE: These instructions assume first that you have been assigned AMPRNet IP address allocations that are properly assigned and configured to your account in the [[Portal]]. Next, that you intend to configure your OpenWRT-based (version 14.07 or greater) AMPRNet [[Gateway]] to be a [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewall] for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN. These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] sernario; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire). Since the OpenWRT Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets). Lastly, it assumes that the user can navigate the default OpenWRT LuCI web-based graphical user interface locally (and that they are using a device capable of having the package installed), are familiar with the [https://en.wikipedia.org/wiki/Chmod chmod] command, and/or familiar with entering OpenWRT UCI (Unified Configuration Interface) commands by serial console or SSH.'''

Install:

* kmod-ipip
* ip-full
* libstdcpp
* [[ampr-ripd]] to '''/etc/config/''' (always run [[RIP]]44 software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
* diffutils (optional for dynamic IP filtering)
* (optional) dynamic firewall script to /etc/config/load_ipipfilter.sh (see the iptables section of the [[Firewalls]] wiki)
* the following to '''System > Startup > Local Startup:'''

ip tunnel add tunl0
ip tunnel change tunl0 mode ipip ttl 64 pmtudisc
ip link set tunl0 mtu 1480 up
'''# This directory is not persistent on OpenWRT, it must be made on boot for dynamic filtering
mkdir /var/lib/ampr-ripd
# A blank bootstrap file must be created at /etc/config/encap.txt for this to work
# Running '''touch /etc/config/encap.txt''' once can create it
# after which, you may run ampr-ripd to populate it
ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# Dynamic filter, script executed by -x argument
# Dynamic filter, -s argument creates encap.txt
'''# ./etc/config/ampr-ripd -p <PASSWORD> -s -t 44 -a <44.xxx.xxx.xxx/xx> -x ./etc/config/load_ipipfilter.sh &'''
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr

'''UPDATE 2018 (routes and rules have been added to the UCI):'''

# add IP Route to /etc/config/network

config route
option interface 'amprwan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway ''''<AMPRGW>''''
option onlink '1'
option table '44'

# add IP Rules to /etc/config/network

#OPTIONAL AMPR TO LAN RULES (NUMBER 22-2X ACCORDINGLY)
config rule
option src '44.xxx.xxx.0/24'
option dest '192.168.xxx.0/24'
option priority '22'
option lookup 'main'

#ADD A MAIN RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY)
config rule
option dest '44.xxx.xxx.0/24'
option priority '44'
option lookup 'main'

### This ensures all traffic received on tunl0 uses table 44
config rule
option in 'amprwan'
option dest '0.0.0.0/0'
option priority '45'
option lookup '44'

###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44
config rule
option in 'amprnet'
option dest '0.0.0.0/0'
option priority '46'
option lookup '44'

### You must add an IP rule for all 44net IPs residing on the device
config rule
option src '44.xxx.xxx.0/24
option priority '47'
option lookup '44'

* '''reboot'''
* create an unmanaged Interface instance for tunl0 ('''AMPRWAN''') '''(set to not bring up on boot)''', adding it to its own firewall zone '''amprwan''' using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). '''(OpenWRT 14.07 or lower - Be sure to enable connection tracking if you will not masquerade)'''
* an interface instance for a new VLAN and bridge (the example above uses AMPRNET), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). '''Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.'''
* '''reboot'''
* Permit forwarding from AMPRLAN to AMPRWAN and WAN (you must masquerade this traffic when using WAN)
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
* Create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or specify WAN IP if statically assigned)
* Create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
* Create Traffic Forward rules for any inbound services (as desired)
* the VLAN to any switch/trunk ports (as desired)
* make ampr-ripd and load_ipipfilter.sh executable using '''chmod +x'''
* test ampr-ripd in console using the '''-d''' argument
* add password to the '''Local Startup''' entry and uncomment ampr-ripd line
* '''reboot'''

Setting up a gateway on OpenWRT

2018-01-31T00:58:43Z

Kb3vwg: /* Summary */

[[ampr-ripd]] has been compiled for Atheros 71xx

'''NOTE: To operate a [[Gateway]] on [[AMPRNet]], you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol, named [[RIP]]44 is used. [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] is not the same as [[RIP]]44.''' [[rip44d]] is written in the Perl programming language by Heikki Hannikainen, OH7LZB. [[ampr-ripd]] is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. [[ampr-ripd]] is used in this instance, so no other prerequisite software is required to run the [[RIP]]44 daemon.

* '''You must have access to a binary [https://en.wikipedia.org/wiki/Executable executable] of [[ampr-ripd]] that is compatible with the [https://en.wikipedia.org/wiki/Central_processing_unit CPU] in your OpenWRT device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must [https://en.wikipedia.org/wiki/Compiler compile] ampr-ripd yourself, or install the packages necessary to run [[rip44d]].'''

== '''See''' ==

* [http://wiki.openwrt.org/doc/devel/crosscompile Cross Compile - OpenWRT]
* [http://wiki.openwrt.org/start OpenWRT Manual]

== Summary ==

'''NOTE: These instructions assume first that you have been assigned AMPRNet IP address allocations that are properly assigned and configured to your account in the [[Portal]]. Next, that you intend to configure your OpenWRT-based (version 14.07 or greater) AMPRNet [[Gateway]] to be a [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewall] for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN. These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own [https://en.wikipedia.org/wiki/Virtual_routing_and_forwarding virtual routing and forwarding] instance; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire). Since the OpenWRT Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets). Lastly, it assumes that the user can navigate the default OpenWRT LuCI web-based graphical user interface locally (and that they are using a device capable of having the package installed), are familiar with the [https://en.wikipedia.org/wiki/Chmod chmod] command, and/or familiar with entering OpenWRT UCI (Unified Configuration Interface) commands by serial console or SSH.'''

Install:

* kmod-ipip
* ip-full
* libstdcpp
* [[ampr-ripd]] to '''/etc/config/''' (always run [[RIP]]44 software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
* diffutils (optional for dynamic IP filtering)
* (optional) dynamic firewall script to /etc/config/load_ipipfilter.sh (see the iptables section of the [[Firewalls]] wiki)
* the following to '''System > Startup > Local Startup:'''

ip tunnel add tunl0
ip tunnel change tunl0 mode ipip ttl 64 pmtudisc
ip link set tunl0 mtu 1480 up
ip route add default dev tunl0 via '''<AMPRGW>''' onlink proto 44 table 44
'''# This directory is not persistent on OpenWRT, it must be made on boot for dynamic filtering
mkdir /var/lib/ampr-ripd
# A blank bootstrap file must be created at /etc/config/encap.txt for this to work
# after which, you may run ampr-ripd to populate it
ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# Dynamic filter, script executed by -x argument
# Dynamic filter, -s argument creates encap.txt
'''# ./etc/config/ampr-ripd -p <PASSWORD> -s -t 44 -a <44.xxx.xxx.xxx/xx> -x ./etc/config/load_ipipfilter.sh &'''
#OPTIONAL LAN ### ip rule add from '''<44.xxx.xxx.xxx/xx>''' to '''<192.168.xxx.xxx/16>''' table main priority 22
#ADD A RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY)
ip rule add to '''<44.xxx.xxx.xxx/xx>''' table main priority 44
###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44
ip rule add dev br-amprlan table 44 priority 45
### This ensures all traffic received on tunl0 uses table 44
ip rule add dev tunl0 table 44 priority 46
### You must add an IP rule for all 44net IPs residing on the device
ip rule add from '''<44.xxx.xxx.xxx/xx>''' table 44 priority 47
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr

* '''reboot'''
* an unmanaged interface instance for tunl0 (AMPRWAN) '''(set to not bring up on boot)''', adding it to its own firewall zone using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). '''Be sure to enable connection tracking if you will not masquerade'''
* an interface instance for a new VLAN and bridge (AMPRLAN), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). '''Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.'''
* '''reboot'''
* Permit forwarding from AMPRLAN to AMPRWAN and WAN (you must masquerade this traffic when using WAN)
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
* Create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or specify WAN IP if statically assigned)
* Create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
* Create Traffic Forward rules for any inbound services (as desired)
* the VLAN to any switch/trunk ports (as desired)
* make ampr-ripd and load_ipipfilter.sh executable using '''chmod +x'''
* test ampr-ripd in console using the '''-d''' argument
* add password to the '''Local Startup''' entry and uncomment ampr-ripd line
* '''reboot'''

Services

2017-10-10T21:34:40Z

Kb3vwg: change country of NTP servers

{| class="wikitable sortable"
|-
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information
|-
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE
|-
| AMPR ||Website || http://www.ampr.org || HTTP || AMPRNet Main Page|| NONE
|-
| AMPR ||Wiki || http://wiki.ampr.org || HTTP || This Wiki|| NONE
|-
| AMPR ||[[44Net mailing list]] || http://hamradio.ucsd.edu/mailman/listinfo/44net || HTTP || mailing list discussion|| NONE
|-
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.34.84 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).
|-
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway
|-
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]
|-
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||
(These hosts maintain a copy of AMPR.ORG and the 44.IN-ADDR.ARPA DNS Zones:)
 ampr.org 
ns2.threshinc.com 
munnari.OZ.AU 
a.coreservers.uk 
ampr-dns.in-berlin.de 
(These hosts maintain a copy of AMPR.ORG and the 44.in-addr.arpa DNS Zones. 44/8 hosts may use as recursive/Client DNS servers:) 
gw.ct.ampr.org (44.88.0.1) 
dns-mdc.ampr.org (44.60.44.3) 
n1uro.ampr.org (44.88.0.9)
|| DNS || name resolution services|| zone files can be downloaded from ftp://gw.ampr.org/pub/
|-
| Various Operators||Network Tools||
http://whatismyip.ampr.org 
http://yo2tm.ampr.org/nettools.php 
http://kb3vwg-010.ampr.org/tools 
http://speedtest.ampr.org 
http://n1uro.ampr.org/do.shtml 
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE
|-
| Various Operators ||Network Time Protocol Server || gw.ampr.org (Stratum 1, US) ntp.vk2hff.ampr.org (Stratum 1, AU) ntp.g1fef.ampr.org (Stratum 1, UK) kb3vwg-001.ampr.org (Stratum 2, US) gw-44-137.pi9noz.ampr.org (Stratum 2) yo2tm.ampr.org (Stratum 2) f4gve.ampr.org (Stratum 3) ntp1.on3rvh.ampr.org || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican|| AMPRNet hosts have OPEN ACCESS to these time servers
|-
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/index.php/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.
|-
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.
|-
| OH1KK || KiwiSDR Kaustinen || http://44.139.48.2 || SDR-receiver || KiwiSDR receiver located at Kaustinen, Finland · 0-30 MHz · Antenna switch extension · Northern Europe || Experimental. Also available on non-amprnet at address http://sdr.vy.fi
|-
|-}

Services

2017-10-10T18:30:38Z

Kb3vwg:

{| class="wikitable sortable"
|-
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information
|-
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE
|-
| AMPR ||Website || http://www.ampr.org || HTTP || AMPRNet Main Page|| NONE
|-
| AMPR ||Wiki || http://wiki.ampr.org || HTTP || This Wiki|| NONE
|-
| AMPR ||[[44Net mailing list]] || http://hamradio.ucsd.edu/mailman/listinfo/44net || HTTP || mailing list discussion|| NONE
|-
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.34.84 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).
|-
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway
|-
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]
|-
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||
(These hosts maintain a copy of AMPR.ORG and the 44.IN-ADDR.ARPA DNS Zones:)
 ampr.org 
ns2.threshinc.com 
munnari.OZ.AU 
a.coreservers.uk 
ampr-dns.in-berlin.de 
(These hosts maintain a copy of AMPR.ORG and the 44.in-addr.arpa DNS Zones. 44/8 hosts may use as recursive/Client DNS servers:) 
gw.ct.ampr.org (44.88.0.1) 
dns-mdc.ampr.org (44.60.44.3) 
n1uro.ampr.org (44.88.0.9)
|| DNS || name resolution services|| zone files can be downloaded from ftp://gw.ampr.org/pub/
|-
| Various Operators||Network Tools||
http://whatismyip.ampr.org 
http://yo2tm.ampr.org/nettools.php 
http://kb3vwg-010.ampr.org/tools 
http://speedtest.ampr.org 
http://n1uro.ampr.org/do.shtml 
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE
|-
| Various Operators ||Network Time Protocol Server || gw.ampr.org (Stratum 1, US) ntp.vk2hff.ampr.org (Stratum 1, UK) ntp.g1fef.ampr.org (Stratum 1, UK) kb3vwg-001.ampr.org (Stratum 2, US) gw-44-137.pi9noz.ampr.org (Stratum 2) yo2tm.ampr.org (Stratum 2) f4gve.ampr.org (Stratum 3) ntp1.on3rvh.ampr.org || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican|| AMPRNet hosts have OPEN ACCESS to these time servers
|-
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/index.php/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.
|-
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.
|-
| OH1KK || KiwiSDR Kaustinen || http://44.139.48.2 || SDR-receiver || KiwiSDR receiver located at Kaustinen, Finland · 0-30 MHz · Antenna switch extension · Northern Europe || Experimental. Also available on non-amprnet at address http://sdr.vy.fi
|-
|-}

Services

2017-10-10T15:31:10Z

Kb3vwg:

{| class="wikitable sortable"
|-
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information
|-
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE
|-
| AMPR ||Website || http://www.ampr.org || HTTP || AMPRNet Main Page|| NONE
|-
| AMPR ||Wiki || http://wiki.ampr.org || HTTP || This Wiki|| NONE
|-
| AMPR ||[[44Net mailing list]] || http://hamradio.ucsd.edu/mailman/listinfo/44net || HTTP || mailing list discussion|| NONE
|-
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.34.84 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).
|-
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway
|-
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]
|-
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||
(These hosts maintain a copy of AMPR.ORG and the 44.IN-ADDR.ARPA DNS Zones:)
 ampr.org 
ns2.threshinc.com 
munnari.OZ.AU 
a.coreservers.uk 
ampr-dns.in-berlin.de 
(These hosts maintain a copy of AMPR.ORG and the 44.in-addr.arpa DNS Zones. 44/8 hosts may use as recursive/Client DNS servers:) 
gw.ct.ampr.org (44.88.0.1) 
dns-mdc.ampr.org (44.60.44.3) 
n1uro.ampr.org (44.88.0.9)
|| DNS || name resolution services|| zone files can be downloaded from ftp://gw.ampr.org/pub/
|-
| Various Operators||Network Tools||
http://whatismyip.ampr.org 
http://yo2tm.ampr.org/nettools.php 
http://kb3vwg-010.ampr.org/tools 
http://speedtest.ampr.org 
http://n1uro.ampr.org/do.shtml 
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE
|-
| Various Operators ||Network Time Protocol Server || gw.ampr.org (Stratum 1, US) ntp.vk2hff.ampr.org (Stratum 1, UK) ntp.g1fef.ampr.org (Stratum 1, UK) kb3vwg-001.ampr.org (Stratum 2, US) gw-44-137.pi9noz.ampr.org (Stratum 2) yo2tm.ampr.org (Stratum 2) f4gve.ampr.org (Stratum 3) || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican|| AMPRNet hosts have OPEN ACCESS to these time servers
|-
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/index.php/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.
|-
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.
|-
| OH1KK || KiwiSDR Kaustinen || http://44.139.48.2 || SDR-receiver || KiwiSDR receiver located at Kaustinen, Finland · 0-30 MHz · Antenna switch extension · Northern Europe || Experimental. Also available on non-amprnet at address http://sdr.vy.fi
|-
|-}

Services

2017-10-10T14:16:06Z

Kb3vwg: added more NTP servers

{| class="wikitable sortable"
|-
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information
|-
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE
|-
| AMPR ||Website || http://www.ampr.org || HTTP || AMPRNet Main Page|| NONE
|-
| AMPR ||Wiki || http://wiki.ampr.org || HTTP || This Wiki|| NONE
|-
| AMPR ||[[44Net mailing list]] || http://hamradio.ucsd.edu/mailman/listinfo/44net || HTTP || mailing list discussion|| NONE
|-
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.34.84 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).
|-
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway
|-
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]
|-
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||
(These hosts maintain a copy of AMPR.ORG and the 44.IN-ADDR.ARPA DNS Zones:)
 ampr.org 
ns2.threshinc.com 
munnari.OZ.AU 
a.coreservers.uk 
ampr-dns.in-berlin.de 
(These hosts maintain a copy of AMPR.ORG and the 44.in-addr.arpa DNS Zones. 44/8 hosts may use as recursive/Client DNS servers:) 
gw.ct.ampr.org (44.88.0.1) 
dns-mdc.ampr.org (44.60.44.3) 
n1uro.ampr.org (44.88.0.9)
|| DNS || name resolution services|| zone files can be downloaded from ftp://gw.ampr.org/pub/
|-
| Various Operators||Network Tools||
http://whatismyip.ampr.org 
http://yo2tm.ampr.org/nettools.php 
http://kb3vwg-010.ampr.org/tools 
http://speedtest.ampr.org 
http://n1uro.ampr.org/do.shtml 
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE
|-
| Various Operators ||Network Time Protocol Server || gw.ampr.org (Stratum 1, US) ntp.vk2hff.ampr.org (Stratum 1, UK) ntp.g1fef.ampr.org (Stratum 1, UK) kb3vwg-001.ampr.org (Stratum 2, US) gw-44-137.pi9noz.ampr.org (Stratum 2) f4gve.ampr.org (Stratum 3) || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican|| AMPRNet hosts have OPEN ACCESS to these time servers
|-
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/index.php/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.
|-
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.
|-
| OH1KK || KiwiSDR Kaustinen || http://44.139.48.2 || SDR-receiver || KiwiSDR receiver located at Kaustinen, Finland · 0-30 MHz · Antenna switch extension · Northern Europe || Experimental. Also available on non-amprnet at address http://sdr.vy.fi
|-
|-}

Services

2017-10-03T01:50:08Z

Kb3vwg: all Global DNS possess both zones, removed "and/or"

{| class="wikitable sortable"
|-
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information
|-
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE
|-
| AMPR ||Website || http://www.ampr.org || HTTP || AMPRNet Main Page|| NONE
|-
| AMPR ||Wiki || http://wiki.ampr.org || HTTP || This Wiki|| NONE
|-
| AMPR ||[[44Net mailing list]] || http://hamradio.ucsd.edu/mailman/listinfo/44net || HTTP || mailing list discussion|| NONE
|-
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.34.84 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).
|-
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway
|-
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]
|-
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||
(These hosts maintain a copy of AMPR.ORG and the 44.IN-ADDR.ARPA DNS Zones:)
 ampr.org 
ns2.threshinc.com 
munnari.OZ.AU 
a.coreservers.uk 
ampr-dns.in-berlin.de 
(These hosts maintain a copy of AMPR.ORG and the 44.in-addr.arpa DNS Zones. 44/8 hosts may use as recursive/Client DNS servers:) 
gw.ct.ampr.org (44.88.0.1) 
dns-mdc.ampr.org (44.60.44.3) 
n1uro.ampr.org (44.88.0.9)
|| DNS || name resolution services|| zone files can be downloaded from ftp://hamradio.ucsd.edu/pub/
|-
| Various Operators||Network Tools||
http://whatismyip.ampr.org 
http://yo2tm.ampr.org/nettools.php 
http://kb3vwg-010.ampr.org/tools 
http://speedtest.ampr.org 
http://n1uro.ampr.org/do.shtml 
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE
|-
| Various Operators ||Network Time Protocol Server || kb3vwg-001.ampr.org (Stratum 2) gw-44-137.pi9noz.ampr.org (Stratum 2) f4gve.ampr.org (Stratum 3) || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican Stratum 1 Servers|| AMPRNet hosts have OPEN ACCESS to these time servers
|-
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/index.php/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.
|-
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.
|-
| OH1KK || KiwiSDR Kaustinen || http://44.139.48.2 || SDR-receiver || KiwiSDR receiver located at Kaustinen, Finland · 0-30 MHz · Antenna switch extension · Northern Europe || Experimental. Also available on non-amprnet at address http://sdr.vy.fi
|-
|-}

Services

2017-10-03T01:31:42Z

Kb3vwg: add IPs of recursive/Client DNS servers

{| class="wikitable sortable"
|-
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information
|-
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE
|-
| AMPR ||Website || http://www.ampr.org || HTTP || AMPRNet Main Page|| NONE
|-
| AMPR ||Wiki || http://wiki.ampr.org || HTTP || This Wiki|| NONE
|-
| AMPR ||[[44Net mailing list]] || http://hamradio.ucsd.edu/mailman/listinfo/44net || HTTP || mailing list discussion|| NONE
|-
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.34.84 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).
|-
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway
|-
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]
|-
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||
(These hosts maintain a copy of AMPR.ORG and/or the 44.in-addr.arpa DNS Zones:)
 ampr.org 
ns2.threshinc.com 
munnari.OZ.AU 
a.coreservers.uk 
ampr-dns.in-berlin.de 
(These hosts maintain a copy of AMPR.ORG and the 44.in-addr.arpa DNS Zones. 44/8 hosts may use as recursive/Client DNS servers:) 
gw.ct.ampr.org (44.88.0.1) 
dns-mdc.ampr.org (44.60.44.3) 
n1uro.ampr.org (44.88.0.9)
|| DNS || name resolution services|| zone files can be downloaded from ftp://hamradio.ucsd.edu/pub/
|-
| Various Operators||Network Tools||
http://whatismyip.ampr.org 
http://yo2tm.ampr.org/nettools.php 
http://kb3vwg-010.ampr.org/tools 
http://speedtest.ampr.org 
http://n1uro.ampr.org/do.shtml 
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE
|-
| Various Operators ||Network Time Protocol Server || kb3vwg-001.ampr.org (Stratum 2) gw-44-137.pi9noz.ampr.org (Stratum 2) f4gve.ampr.org (Stratum 3) || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican Stratum 1 Servers|| AMPRNet hosts have OPEN ACCESS to these time servers
|-
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/index.php/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.
|-
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.
|-
| OH1KK || KiwiSDR Kaustinen || http://44.139.48.2 || SDR-receiver || KiwiSDR receiver located at Kaustinen, Finland · 0-30 MHz · Antenna switch extension · Northern Europe || Experimental. Also available on non-amprnet at address http://sdr.vy.fi
|-
|-}

Services

2017-10-03T01:28:10Z

Kb3vwg: new DNS servers

{| class="wikitable sortable"
|-
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information
|-
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE
|-
| AMPR ||Website || http://www.ampr.org || HTTP || AMPRNet Main Page|| NONE
|-
| AMPR ||Wiki || http://wiki.ampr.org || HTTP || This Wiki|| NONE
|-
| AMPR ||[[44Net mailing list]] || http://hamradio.ucsd.edu/mailman/listinfo/44net || HTTP || mailing list discussion|| NONE
|-
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.34.84 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).
|-
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway
|-
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]
|-
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||
(These hosts maintain a copy of AMPR.ORG and/or the 44.in-addr.arpa DNS Zones:)
 ampr.org 
ns2.threshinc.com 
munnari.OZ.AU 
a.coreservers.uk 
ampr-dns.in-berlin.de 
(These hosts maintain a copy of AMPR.ORG and the 44.in-addr.arpa DNS Zones. 44/8 hosts may use as recursive/Client DNS servers:) 
gw.ct.ampr.org 
dns-mdc.ampr.org 
n1uro.ampr.org
|| DNS || name resolution services|| zone files can be downloaded from ftp://hamradio.ucsd.edu/pub/
|-
| Various Operators||Network Tools||
http://whatismyip.ampr.org 
http://yo2tm.ampr.org/nettools.php 
http://kb3vwg-010.ampr.org/tools 
http://speedtest.ampr.org 
http://n1uro.ampr.org/do.shtml 
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE
|-
| Various Operators ||Network Time Protocol Server || kb3vwg-001.ampr.org (Stratum 2) gw-44-137.pi9noz.ampr.org (Stratum 2) f4gve.ampr.org (Stratum 3) || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican Stratum 1 Servers|| AMPRNet hosts have OPEN ACCESS to these time servers
|-
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/index.php/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.
|-
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.
|-
| OH1KK || KiwiSDR Kaustinen || http://44.139.48.2 || SDR-receiver || KiwiSDR receiver located at Kaustinen, Finland · 0-30 MHz · Antenna switch extension · Northern Europe || Experimental. Also available on non-amprnet at address http://sdr.vy.fi
|-
|-}

Firewalls

2017-06-07T18:34:00Z

Kb3vwg: added link to N1?URO's AMPR NAT page

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"

https://www.dd-wrt.com/wiki/index.php/Iptables

https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding

# Create a new Port Forward
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field

== iptables ==

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the static rule below) is required for other AMPR nodes to initiate inbound traffic to your node.'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="169.228.34.84"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the dynamic rule above) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

To enable receipt of [[RIP]]44

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

'''Masquerade LAN Subnets to AMPRNet'''

In this instance, eth1 is your 192.168.1.0/24 LAN
(thanks to Brian, N1URO)

see: https://n1uro.ampr.org/linuxconf/44nat.html

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== Microtik ==

== OpenWRT ==

See: iptables (above) and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].

iptables-based rules can be entered in Network > Firewall > Custom Firewall on the LuCI web interface; or via the command prompt via UCI.

Firewalls

2017-06-07T17:27:04Z

Kb3vwg: /* iptables */ added masquerade to 44Net rules

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.

'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''

== Cisco ==

== DD-WRT ==

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"

https://www.dd-wrt.com/wiki/index.php/Iptables

https://www.dd-wrt.com/wiki/index.php/Firewall

== D-Link ==

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''

In Port Forwarding

# Create a new Port Forward
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field

== iptables ==

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

'''Dynamic IPENCAP Filtering of AMPR Nodes'''

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the static rule below) is required for other AMPR nodes to initiate inbound traffic to your node.'''

'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command].

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF WAN>''' -j ipipfilter

#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="169.228.34.84"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
'''# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###'''
'''# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###'''
'''# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###'''

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
##

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile

iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi

# Delete /tmp/gw when done
rm -f $gwfile

'''Static IPENCAP Filtering of AMPR Nodes'''

To enable input of IPENCAP (IP Protocol Number 4)

'''Note: this rule (or the dynamic rule above) is required for other AMPR nodes to initiate inbound traffic to your node.'''

iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ACCEPT

If your AMPR node is downstream, you will create an INPUT '''and''' DNAT forward rule to the destination LAN IP of your AMPR node.

To enable receipt of [[RIP]]44

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

'''Masquerade LAN Subnets to AMPRNet'''

In this instance, eth1 is your 192.168.1.0/24 LAN
(thanks to Brian, N1URO)

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

== Microtik ==

== OpenWRT ==

See: iptables (above) and the Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].

iptables-based rules can be entered in Network > Firewall > Custom Firewall on the LuCI web interface; or via the command prompt via UCI.

Startampr

2017-06-05T17:13:15Z

Kb3vwg: /* Script */ added ToS inherit, this gives outer header same ToS header as inner header

'''startampr''' is a custom suite of [https://en.wikipedia.org/wiki/Bash_%28Unix_shell%29 Bourne Again Shell] scripts developed by KB3VWG and others in the [[44Net mailing list]] Community, that turns a Debian/Ubuntu-based Linux machine into an AMPR [[Gateway]] on boot; and starts an [https://en.wikipedia.org/wiki/IP_in_IP IPENCAP] (or [https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers IP Protocol] number four) tunnel. The primary advantage to using this suite is that it executes and enables AMPR RIP44 daemons, munge scripts, interfaces and routing commands in proper boot order; and references them using the command syntax, default command arguments and practices that have become the de facto standard on [[AMPRNet]]. It is also minimally invasive, in that the machine otherwise remains an "untouched" default installation; and can be returned to an OEM Ubuntu installation by simply removing all associated files and uninstalling all packages added when configuring the machine to run '''startampr''' (please assist me in developing an uninstall script, if interested). Also, if you install a server GUI (e.g. [http://www.webmin.com Webmin]), you can disable the routing features of the machine simply by checking a box, and hitting APPLY (on next reboot, it is disabled). '''The current versions are 1.0 (no longer developed), and 2.0, released to the [[44Net mailing list]] Community on May 26, 2017 at 14:14 UTC.

== Detailed Summary ==

In addition to the first and main script, '''startampr''', other tools included with the official release are: init scripts to execute the file, save the routing table (if using a method that does not automatically save it); and an executable script generator (made using [http://linux.die.net/man/1/sed the sed command]) that can restore the AMPR routing table (i.e. in the case the administrator flushes the table). The script uses the [http://www.linuxfoundation.org/collaborate/workgroups/networking/tunneling ipip Linux Kernel module] and implements [http://linux.die.net/man/8/ip Linux ip] routing table's [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] to properly move traffic across the routing plane. It is suggested that [https://en.wikipedia.org/wiki/Iptables iptables] be used to firewall traffic after verification of a proper installation.

The official release uses [[rip44d]] as its [[RIP]]44 protocol daemon; but [[ampr-ripd]] or [[Encap.txt]] with a [[munge script]] may be used (instructions by KB9MWR use ampr-ripd). '''To operate a [[Gateway]] on [[AMPRNet]], you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol, named [[RIP]]44 is used. [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] is not the same as [[RIP]]44.''' rip44d is written in the Perl programming language by Heikki Hannikainen, OH7LZB. [[ampr-ripd]] is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. The developer choose rip44d simply because it was the only daemon available when version 1.0 was developed. The use of any method to add route information to table 44 will work. It should be noted that: '''startampr''' was developed around '''rip44d'''; and improves on features not included (e.g. reload of routing table upon reboot). The scripts to backup/restore are not needed when using [[ampr-ripd]] (but can be developed to provide geographically-local tertiary sources of the AMPR routing table).

'''NOTE: if you do not wish to compile software, you must use [[rip44d]] or [[Encap.txt]] with a [[munge script]].'''

== 2.0 Security Update ==

'''startampr 2.0's code includes a security fix that corrects a routing issue that allows unencapsulated traffic from the tunnel to leak onto the LAN or Public Internet interface in version 1.0 - this only occurs when a AMPRNnet-facing user attempts to connect using invalid source IPs or invalid AMPRNet IP address'''. In original development of version 1.0, it was considered that this behavior could be valid to reach subnets ran by operators using the option at: [[Announcing your allocation directly]]; '''but do not make their tunnel available on a non-44.0.0.0/8 address''' (it was announced on the [[44Net mailing list]] on 04AUG2015, that AMPRGW now routes traffic to/from BGPed and IPENCAPed AMPR subnets, making this programmatic workaround unnecessary).

It is a generally accepted practice on the Internet that network operators source filter their traffic, making BGPed subnets an exception for AMPRNet Gateways (see [https://tools.ietf.org/html/rfc3013 RFC3013, section 4.3 and 4.4]). It is also accepted AMPRNet practice that these operators consider running a tunneled Gateway on any non-AMPRNet IP available for accessibility to/from those running IPENCAP Gateways. It may be useful to also have redundant VLANs on two or more interfaces possessing the same Public IP at two or more borders; and run a script between the AMPR Gateways - using [https://en.wikipedia.org/wiki/Dynamic_DNS Dynamic DNS] to synchronize them, verify if connectivity goes down on either device's tunl0 interface and update the [[Portal]] accordingly.

I'm happy and willing to work with any BGP subnet operator who wishes to develop a script to establish an AMPR Gateway for your multi-homed AMPRNet BGPed subnet.

= Requirements, Installation Overview and Features =

# You'll need a Linux computer, which has been added in the Gateways file using the [[Portal]], so that it is known as an AMPRnet Gateway; and will receive RIP44 updates from the main [[Gateway]]. It will take some time before Amprgw will learn about new gateways.
# The instructions below are currently only for Debian/Ubuntu, but there's nothing Debian-specific - it should work fine on other distributions (if the correct packages used (e.g. wget/curl, The Bourne Again Shell/BASH, sed, ip, chmod, PERL, etc.) Interface names, file and folder locations, file permissions, etc. are edited.

You must first properly install:
* the operating system and network interfaces
* then properly install '''startampr''' at '''/usr/local/sbin''' to enable the tunnel. '''The tunnel interface must be operational and in 'UP' status before proceeding.'''
* the [[RIP]]44 daemon ([[rip44d]] uses the location '''/usrlocal/sbin/''') which receives periodic routing table updates from the [[AMPRNet]] routing service, and inserts them in the Linux routing table of your choice (most users use table 44; and the scripts use this value as well). '''You must verify that you are receiving route information before proceeding.'''
* boot script for '''startampr''', to '''/etc/init/'''
* (Optional) a script to backup the routing table and create a corresponding restore script, at '''/etc/cron.hourly/'''
* (Optional) a script to restore the AMPRNet routing table on boot, at '''/etc/if-ip.d/'''

= Installation of startampr =

Install the the script to '''/usr/local/sbin''' and '''sudo chmod ug+x /usr/local/sbin/startampr'''

After obtaining the correct password from the route announcement and entering it into the properly configured script, install the boot and interface-up scripts (sample init scripts provided).

The additional script '''/etc/cron.hourly/backup_ampr''' creates an hourly backup of the AMPR routing table, located in two files at '''/usr/local/sbin''':

* '''/usr/local/sbin/table44_bak ''' - It is a text file that contains a copy of output from the command: 'ip route get table 44'
* '''/usr/local/sbin/restore44sh''' - It contains a copy of '''table44_bak''' with the command "ip route add table 44 " appended to each line. '''backup_ampr''' gives this file executable permissions to user:root and group:root. Execute this file using the command: '''sudo ./usr/local/sbin/restore44sh''' to restore your routing table if the need ever occurs.

You can verify the backup is running by issuing the command: '''ls -l /usr/local/sbin/restore44sh''' and '''ls -l /usr/local/sbin/table44_bak'''
If the machine has been up, the files should be no more than an hour old.

That should be all. Really. The downside of this configuration is that it will take up to 5 minutes for the gateway to receive a routing update and become operational after a reboot. The additional scripts provided store the current routing table in a local file hourly and load it from there when starting up. Thereafter, after every hour of uptime your routing table is backed up at :17 on the hour. This backup can be used if you ever need to execute the ip command to flush table 44.

= Installation of dependencies on Debian/Ubuntu =

'''If you use rip44d''', install perl, and IO::Socket::Multicast, a Perl module used for receiving the RIP multicast packets

sudo apt-get install perl libio-socket-multicast-perl libio-interface-perl

recommended:

sudo apt-get install traceroute openssh-server ipset

= Installation of dependencies on other distributions =

Other distributions should have an easy way to install the required packages too (using yum or a similar program). Please fill in details here, if you know them.

= Script =

#!/bin/bash
#############################################################
###STARTAMPR v2.0 May 26, 2017###
###
### TO DO - Have the AMPRNet Community test and verify
###
### CHANGELOG
###
### v2.0 RC4
### - Dialogue about how to add routes and rules for any created test subnet(s).
###
### v2.0 RC3
### - Exclusively seperates route and tables, as well as priotities by: class and type
### - This makes unnecessary the exclusion of local subnets in ampr-ripd using the '-a' switch,
### by adding local 44 network(s) to a higher priority routing table
### - This should enable you can to become a tunnel GW for BGPed 44/8 subnets
### - Provides table 7777 as a BLACKHOLE/NULL Route
### - Adds script to load last hourly backup of table 44 on boot
### - With script backup_ampr, creates a backup of the routing table a file named table44_bak
### and an executable restore44sh hourly to use on the running machine to
### restore table 44 if the table needs to be flushed during uptime
###
### v2.0
### - Streamlined commands and routes
### - Placed syntax for Debian/Ubuntu and OpenWRT/LEDE devices
#############################################################
## This script was developed by KB3VWG on a standard
## Ubuntu 16.04.2 LTS PC eth0 configured to the Public facing
## LAN and eth1 to the 44LAN. It is designed to enable an
## AMPR Router using the ampr-ripd v2.0, the standard ampr-ripd,
## using the -t switch to add routes to routing table '44'
## with no further configuration needed (firewall optional)
##############################################################
##################################################################
## This script was modified by LX1DUC to automate even more tasks.
##################################################################
##################################################################
## Thanks to PE1CHL for discovering the need for policy-based routing
## Thanks to KI4SZJ for testing v2.0
##################################################################

### ENABLE IP FORWARDING ###
sysctl -w net.ipv4.ip_forward=1
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr

################### AMPRNet IPENCAP UBUNTU SYNTAX #######################
# modprobe ipip
# ip tunnel add tunl0 mode ipip
###NUMBER tunl0 with a /32 from your allocation
###(you may reuse this IP on an Ethernet interface
# ip addr add <IP from your 44>/32 dev tunl0
# ip link set tunl0 mtu 1480 up
# ip tunnel change tunl0 ttl 64 tos inherit pmtudisc

################### AMPRNet IPENCAP OpenWRT/LEDE SYNTAX #######################
# ip tunnel add tunl0
# ip tunnel change tunl0 mode ipip ttl 64 tos inherit pmtudisc
###(you may reuse this IP on an Ethernet interface
# ip addr add <IP from your 44>/32 dev tunl0
# ip link set tunl0 mtu 1480 up

################### OPTIONAL - DEFAULT ROUTE FOR INTERNET ACCESS #######################
ip route add default dev tunl0 via <AMPRGW_IP> onlink proto 44 table 44

################### POLICY-BADED ROUTING #######################
###OPTIONAL LOCAL RULES
ip rule add from <CIDR_44_allocation> to <LAN e.g. 192.168.1.0/24> table main priority 22

#REQUIRED RULES
ip rule add to <CIDR_44_allocation> table main priority 44
ip rule add dev tunl0 table 44 priority 45
ip rule add dev <interface_for_44LAN> table 44 priority 46
ip rule add from <CIDR_44_allocation> table 44 priority 47

###SOME OF THIS MAY BE NEEDED TO RUN ampr-ripd from another folder than the compile option
###make sure you create the correct save and working folders, etc if you cant recompile ampr-ripd
# This directory is not persistent on OpenWRT/LEDE, it must be made on boot for dynamic filtering
# mkdir /var/lib/ampr-ripd
# Create a blank bootstrap file at /etc/config/encap.txt for this to work
# ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# cd /usr/local/sbin

################### RUN AMPR-RIPD
################### WITH DYNAMIC FIREWALL SCRIPT USING -x
################### see http://wiki.ampr.org/wiki/Firewalls for dynamic script
./ampr-ripd-2.0.x64_Ubuntu16 -i <tunl_interface> -t 44 -a <CIDR_44_allocation> -s -x '/etc/config/load_ipipfilter.sh' -L <CALLSIGN>@<GRID_SQUARE> &

= Notes =

* '''startampr documentation uses tunl0 as the tunnel interface (it is the default on RIP44 daemons) and table 44 for those routes. Use the -i <if> and -t <ip table> option to change to another. The command arguments differ between [[rip44d]] and [[ampr-ripd]]. startampr uses rip44d. See the documentation for the RIP44 programs if decide to use custom interfaces, tables or switch to a routing daemon other than [[rip44d]].'''
* '''The script places the routing daemon at /usr/local/sbin/rip44d_<version number> (this assists in preventing inadvertent running of RIP44 Protocol before you have configured startampr.
* '''The routing rules do not account for rogue traffic containing both an invalid source and destination IP (which the security of the [[Portal]] generally prevents). Use iptables to DROP forwarding of all traffic entering tunl0 not matching a source or destination of in your allocated subnet(s). This can be done by adding adding rules to drop forwarding, by default, packets not possessing correct source and destination IPs in the range of 44.0.0.0/8, etc.'''
* The -a <IP in [[Portal]]> is used to remove your routes from the table (which is incorrect, as they are local). '''startampr''' places your local routes in a higher routing table, eliminating the need to use the -a argument. This is a good feature for those who are assigned a dynamic IP address from their Internet Service Provider.
* The tunnel interface must be up and configured before '''rip44d''' starts up. '''startampr''' places this command in the proper location.
* rip44d automatically adds an AMPR route to the Main AMPRNet Gateway on table 44
* The '''startampr''' backup script '''/etc/cron.hourly/backup_ampr''' is added to a folder that is configured in Ubuntu, by default, to run scripts at :17 after the hour. The Main AMPR Gateway sends an update every five minutes. For advanced instructions on changing this time interval, see [https://help.ubuntu.com/community/CronHowto the Ubuntu Community cron HowTo].
* A strict assortment of: file permissions, naming conventions and leading characters (e.g. '''"#!/bin/bash"''') are required in '''/etc/init/''', '''/etc/if-up.d/''' (used in a script to reload table 44 on boot) and '''/etc/cron.hourly/'''. Note that: '''startampr''' has properly named those files. If you wish to edit them, please follow the documentation and README for more details.
* '''Please note that: any machine acting as an AMPRNet Gateway must explicitly create high-priority routing rules for all traffic addressed to or from eth0. The network assigned to eth0 must be configured to ONLY use table main.''' No other valid configuration has been found to properly work (discovered by PE1CHL and tested by KB3VWG and others in the [[44Net mailing list]] Community). '''This is due to the unique fact that, on AMPRNet routers, 44.0.0.0/8 exists on both the Public (eth0) and AMPRNet-facing (tunl0) sides of the device. There is no way to properly differentiate the route or destination interface of the traffic received from 44.0.0.0/8 over tunl0 (with your 44Router's 44 IP address), versus that from eth0 (on the Gateway's Public-facing IP). Meaning, there is no way to route traffic for all cases, except by SOURCE OR DESTINATION IP ADDRESS. Therefore, ALL traffic to and from the network facing eth0, must use eth0.''' In order to access your AMPRNet from a local network, you must create another routable LAN (and add TO rules, e.g. ip route add to 172.55.0.0/24 table main priority - and masquerade accordingly if configured to reach all of 44.0.0.0/8), or simply connect directly to an AMPR-facing interface. The rule to only use the main table for the eth0 network allows the AMPRNet Gateway to reach 44 hosts on the Public Internet, leaving the operator to provide all routing rules for AMPR-facing interfaces, which is the intent of '''startampr'''.

= Support, bug reports and improvements =

If you have questions to ask about the usage of this script, please contact the [[44Net mailing list]].

If you have improvements to the script and wish to submit a patch, please contact KB3VWG on the [[44Net mailing list]], or via contact details in the [[Portal]]. Thank you!

The daemon was written by Lynwood, KB3VWG, and with major contributions from PE1CHL (for implementation of policy-based IP routing), Heikki Hannikainen, OH7LZB (to version 1.0's integration with '''[[rip44d]]'''), and Marc, LX1DUC (to automate enabling of IP forwarding).

=See also=

* [[Ubuntu Linux Gateway Example]]
* [[Setting up a gateway on Linux]]
* [[ampr-ripd]]
* [[Encap.txt]]
* [[munge script]]
* [[rip44d]]

= Links =

* [http://www.qsl.net/kb9mwr/wapr/tcpip/rip44d.html Alternative installation instructions by KB9MWR]
* [http://marc.storck.lu/blog/2013/08/howto-setup-an-amprnet-gateway-on-linux/ Alternative installation instructions by Marc, LX1DUC]
* [(link to KB3VWG's site here) Detailed Readme and Installation instructions by KB3VWG]

Startampr

2017-06-05T14:03:13Z

Kb3vwg: /* Script */ added discovery packet -L argument information

'''startampr''' is a custom suite of [https://en.wikipedia.org/wiki/Bash_%28Unix_shell%29 Bourne Again Shell] scripts developed by KB3VWG and others in the [[44Net mailing list]] Community, that turns a Debian/Ubuntu-based Linux machine into an AMPR [[Gateway]] on boot; and starts an [https://en.wikipedia.org/wiki/IP_in_IP IPENCAP] (or [https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers IP Protocol] number four) tunnel. The primary advantage to using this suite is that it executes and enables AMPR RIP44 daemons, munge scripts, interfaces and routing commands in proper boot order; and references them using the command syntax, default command arguments and practices that have become the de facto standard on [[AMPRNet]]. It is also minimally invasive, in that the machine otherwise remains an "untouched" default installation; and can be returned to an OEM Ubuntu installation by simply removing all associated files and uninstalling all packages added when configuring the machine to run '''startampr''' (please assist me in developing an uninstall script, if interested). Also, if you install a server GUI (e.g. [http://www.webmin.com Webmin]), you can disable the routing features of the machine simply by checking a box, and hitting APPLY (on next reboot, it is disabled). '''The current versions are 1.0 (no longer developed), and 2.0, released to the [[44Net mailing list]] Community on May 26, 2017 at 14:14 UTC.

== Detailed Summary ==

In addition to the first and main script, '''startampr''', other tools included with the official release are: init scripts to execute the file, save the routing table (if using a method that does not automatically save it); and an executable script generator (made using [http://linux.die.net/man/1/sed the sed command]) that can restore the AMPR routing table (i.e. in the case the administrator flushes the table). The script uses the [http://www.linuxfoundation.org/collaborate/workgroups/networking/tunneling ipip Linux Kernel module] and implements [http://linux.die.net/man/8/ip Linux ip] routing table's [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] to properly move traffic across the routing plane. It is suggested that [https://en.wikipedia.org/wiki/Iptables iptables] be used to firewall traffic after verification of a proper installation.

The official release uses [[rip44d]] as its [[RIP]]44 protocol daemon; but [[ampr-ripd]] or [[Encap.txt]] with a [[munge script]] may be used (instructions by KB9MWR use ampr-ripd). '''To operate a [[Gateway]] on [[AMPRNet]], you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol, named [[RIP]]44 is used. [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] is not the same as [[RIP]]44.''' rip44d is written in the Perl programming language by Heikki Hannikainen, OH7LZB. [[ampr-ripd]] is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. The developer choose rip44d simply because it was the only daemon available when version 1.0 was developed. The use of any method to add route information to table 44 will work. It should be noted that: '''startampr''' was developed around '''rip44d'''; and improves on features not included (e.g. reload of routing table upon reboot). The scripts to backup/restore are not needed when using [[ampr-ripd]] (but can be developed to provide geographically-local tertiary sources of the AMPR routing table).

'''NOTE: if you do not wish to compile software, you must use [[rip44d]] or [[Encap.txt]] with a [[munge script]].'''

== 2.0 Security Update ==

'''startampr 2.0's code includes a security fix that corrects a routing issue that allows unencapsulated traffic from the tunnel to leak onto the LAN or Public Internet interface in version 1.0 - this only occurs when a AMPRNnet-facing user attempts to connect using invalid source IPs or invalid AMPRNet IP address'''. In original development of version 1.0, it was considered that this behavior could be valid to reach subnets ran by operators using the option at: [[Announcing your allocation directly]]; '''but do not make their tunnel available on a non-44.0.0.0/8 address''' (it was announced on the [[44Net mailing list]] on 04AUG2015, that AMPRGW now routes traffic to/from BGPed and IPENCAPed AMPR subnets, making this programmatic workaround unnecessary).

It is a generally accepted practice on the Internet that network operators source filter their traffic, making BGPed subnets an exception for AMPRNet Gateways (see [https://tools.ietf.org/html/rfc3013 RFC3013, section 4.3 and 4.4]). It is also accepted AMPRNet practice that these operators consider running a tunneled Gateway on any non-AMPRNet IP available for accessibility to/from those running IPENCAP Gateways. It may be useful to also have redundant VLANs on two or more interfaces possessing the same Public IP at two or more borders; and run a script between the AMPR Gateways - using [https://en.wikipedia.org/wiki/Dynamic_DNS Dynamic DNS] to synchronize them, verify if connectivity goes down on either device's tunl0 interface and update the [[Portal]] accordingly.

I'm happy and willing to work with any BGP subnet operator who wishes to develop a script to establish an AMPR Gateway for your multi-homed AMPRNet BGPed subnet.

= Requirements, Installation Overview and Features =

# You'll need a Linux computer, which has been added in the Gateways file using the [[Portal]], so that it is known as an AMPRnet Gateway; and will receive RIP44 updates from the main [[Gateway]]. It will take some time before Amprgw will learn about new gateways.
# The instructions below are currently only for Debian/Ubuntu, but there's nothing Debian-specific - it should work fine on other distributions (if the correct packages used (e.g. wget/curl, The Bourne Again Shell/BASH, sed, ip, chmod, PERL, etc.) Interface names, file and folder locations, file permissions, etc. are edited.

You must first properly install:
* the operating system and network interfaces
* then properly install '''startampr''' at '''/usr/local/sbin''' to enable the tunnel. '''The tunnel interface must be operational and in 'UP' status before proceeding.'''
* the [[RIP]]44 daemon ([[rip44d]] uses the location '''/usrlocal/sbin/''') which receives periodic routing table updates from the [[AMPRNet]] routing service, and inserts them in the Linux routing table of your choice (most users use table 44; and the scripts use this value as well). '''You must verify that you are receiving route information before proceeding.'''
* boot script for '''startampr''', to '''/etc/init/'''
* (Optional) a script to backup the routing table and create a corresponding restore script, at '''/etc/cron.hourly/'''
* (Optional) a script to restore the AMPRNet routing table on boot, at '''/etc/if-ip.d/'''

= Installation of startampr =

Install the the script to '''/usr/local/sbin''' and '''sudo chmod ug+x /usr/local/sbin/startampr'''

After obtaining the correct password from the route announcement and entering it into the properly configured script, install the boot and interface-up scripts (sample init scripts provided).

The additional script '''/etc/cron.hourly/backup_ampr''' creates an hourly backup of the AMPR routing table, located in two files at '''/usr/local/sbin''':

* '''/usr/local/sbin/table44_bak ''' - It is a text file that contains a copy of output from the command: 'ip route get table 44'
* '''/usr/local/sbin/restore44sh''' - It contains a copy of '''table44_bak''' with the command "ip route add table 44 " appended to each line. '''backup_ampr''' gives this file executable permissions to user:root and group:root. Execute this file using the command: '''sudo ./usr/local/sbin/restore44sh''' to restore your routing table if the need ever occurs.

You can verify the backup is running by issuing the command: '''ls -l /usr/local/sbin/restore44sh''' and '''ls -l /usr/local/sbin/table44_bak'''
If the machine has been up, the files should be no more than an hour old.

That should be all. Really. The downside of this configuration is that it will take up to 5 minutes for the gateway to receive a routing update and become operational after a reboot. The additional scripts provided store the current routing table in a local file hourly and load it from there when starting up. Thereafter, after every hour of uptime your routing table is backed up at :17 on the hour. This backup can be used if you ever need to execute the ip command to flush table 44.

= Installation of dependencies on Debian/Ubuntu =

'''If you use rip44d''', install perl, and IO::Socket::Multicast, a Perl module used for receiving the RIP multicast packets

sudo apt-get install perl libio-socket-multicast-perl libio-interface-perl

recommended:

sudo apt-get install traceroute openssh-server ipset

= Installation of dependencies on other distributions =

Other distributions should have an easy way to install the required packages too (using yum or a similar program). Please fill in details here, if you know them.

= Script =

#!/bin/bash
#############################################################
###STARTAMPR v2.0 May 26, 2017###
###
### TO DO - Have the AMPRNet Community test and verify
###
### CHANGELOG
###
### v2.0 RC4
### - Dialogue about how to add routes and rules for any created test subnet(s).
###
### v2.0 RC3
### - Exclusively seperates route and tables, as well as priotities by: class and type
### - This makes unnecessary the exclusion of local subnets in ampr-ripd using the '-a' switch,
### by adding local 44 network(s) to a higher priority routing table
### - This should enable you can to become a tunnel GW for BGPed 44/8 subnets
### - Provides table 7777 as a BLACKHOLE/NULL Route
### - Adds script to load last hourly backup of table 44 on boot
### - With script backup_ampr, creates a backup of the routing table a file named table44_bak
### and an executable restore44sh hourly to use on the running machine to
### restore table 44 if the table needs to be flushed during uptime
###
### v2.0
### - Streamlined commands and routes
### - Placed syntax for Debian/Ubuntu and OpenWRT/LEDE devices
#############################################################
## This script was developed by KB3VWG on a standard
## Ubuntu 16.04.2 LTS PC eth0 configured to the Public facing
## LAN and eth1 to the 44LAN. It is designed to enable an
## AMPR Router using the ampr-ripd v2.0, the standard ampr-ripd,
## using the -t switch to add routes to routing table '44'
## with no further configuration needed (firewall optional)
##############################################################
##################################################################
## This script was modified by LX1DUC to automate even more tasks.
##################################################################
##################################################################
## Thanks to PE1CHL for discovering the need for policy-based routing
## Thanks to KI4SZJ for testing v2.0
##################################################################

### ENABLE IP FORWARDING ###
sysctl -w net.ipv4.ip_forward=1
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr

################### AMPRNet IPENCAP UBUNTU SYNTAX #######################
# modprobe ipip
# ip tunnel add tunl0 mode ipip
###NUMBER tunl0 with a /32 from your allocation
###(you may reuse this IP on an Ethernet interface
# ip addr add <IP from your 44>/32 dev tunl0
# ip link set tunl0 mtu 1480 up
# ip tunnel change tunl0 ttl 64 pmtudisc

################### AMPRNet IPENCAP OpenWRT/LEDE SYNTAX #######################
# ip tunnel add tunl0
# ip tunnel change tunl0 mode ipip ttl 64 pmtudisc
###(you may reuse this IP on an Ethernet interface
# ip addr add <IP from your 44>/32 dev tunl0
# ip link set tunl0 mtu 1480 up

################### OPTIONAL - DEFAULT ROUTE FOR INTERNET ACCESS #######################
ip route add default dev tunl0 via <AMPRGW_IP> onlink proto 44 table 44

################### POLICY-BADED ROUTING #######################
###OPTIONAL LOCAL RULES
ip rule add from <CIDR_44_allocation> to <LAN e.g. 192.168.1.0/24> table main priority 22

#REQUIRED RULES
ip rule add to <CIDR_44_allocation> table main priority 44
ip rule add dev tunl0 table 44 priority 45
ip rule add dev <interface_for_44LAN> table 44 priority 46
ip rule add from <CIDR_44_allocation> table 44 priority 47

###SOME OF THIS MAY BE NEEDED TO RUN ampr-ripd from another folder than the compile option
###make sure you create the correct save and working folders, etc if you cant recompile ampr-ripd
# This directory is not persistent on OpenWRT/LEDE, it must be made on boot for dynamic filtering
# mkdir /var/lib/ampr-ripd
# Create a blank bootstrap file at /etc/config/encap.txt for this to work
# ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# cd /usr/local/sbin

################### RUN AMPR-RIPD
################### WITH DYNAMIC FIREWALL SCRIPT USING -x
################### see http://wiki.ampr.org/wiki/Firewalls for dynamic script
./ampr-ripd-2.0.x64_Ubuntu16 -i <tunl_interface> -t 44 -a <CIDR_44_allocation> -s -x '/etc/config/load_ipipfilter.sh' -L <CALLSIGN>@<GRID_SQUARE> &

= Notes =

* '''startampr documentation uses tunl0 as the tunnel interface (it is the default on RIP44 daemons) and table 44 for those routes. Use the -i <if> and -t <ip table> option to change to another. The command arguments differ between [[rip44d]] and [[ampr-ripd]]. startampr uses rip44d. See the documentation for the RIP44 programs if decide to use custom interfaces, tables or switch to a routing daemon other than [[rip44d]].'''
* '''The script places the routing daemon at /usr/local/sbin/rip44d_<version number> (this assists in preventing inadvertent running of RIP44 Protocol before you have configured startampr.
* '''The routing rules do not account for rogue traffic containing both an invalid source and destination IP (which the security of the [[Portal]] generally prevents). Use iptables to DROP forwarding of all traffic entering tunl0 not matching a source or destination of in your allocated subnet(s). This can be done by adding adding rules to drop forwarding, by default, packets not possessing correct source and destination IPs in the range of 44.0.0.0/8, etc.'''
* The -a <IP in [[Portal]]> is used to remove your routes from the table (which is incorrect, as they are local). '''startampr''' places your local routes in a higher routing table, eliminating the need to use the -a argument. This is a good feature for those who are assigned a dynamic IP address from their Internet Service Provider.
* The tunnel interface must be up and configured before '''rip44d''' starts up. '''startampr''' places this command in the proper location.
* rip44d automatically adds an AMPR route to the Main AMPRNet Gateway on table 44
* The '''startampr''' backup script '''/etc/cron.hourly/backup_ampr''' is added to a folder that is configured in Ubuntu, by default, to run scripts at :17 after the hour. The Main AMPR Gateway sends an update every five minutes. For advanced instructions on changing this time interval, see [https://help.ubuntu.com/community/CronHowto the Ubuntu Community cron HowTo].
* A strict assortment of: file permissions, naming conventions and leading characters (e.g. '''"#!/bin/bash"''') are required in '''/etc/init/''', '''/etc/if-up.d/''' (used in a script to reload table 44 on boot) and '''/etc/cron.hourly/'''. Note that: '''startampr''' has properly named those files. If you wish to edit them, please follow the documentation and README for more details.
* '''Please note that: any machine acting as an AMPRNet Gateway must explicitly create high-priority routing rules for all traffic addressed to or from eth0. The network assigned to eth0 must be configured to ONLY use table main.''' No other valid configuration has been found to properly work (discovered by PE1CHL and tested by KB3VWG and others in the [[44Net mailing list]] Community). '''This is due to the unique fact that, on AMPRNet routers, 44.0.0.0/8 exists on both the Public (eth0) and AMPRNet-facing (tunl0) sides of the device. There is no way to properly differentiate the route or destination interface of the traffic received from 44.0.0.0/8 over tunl0 (with your 44Router's 44 IP address), versus that from eth0 (on the Gateway's Public-facing IP). Meaning, there is no way to route traffic for all cases, except by SOURCE OR DESTINATION IP ADDRESS. Therefore, ALL traffic to and from the network facing eth0, must use eth0.''' In order to access your AMPRNet from a local network, you must create another routable LAN (and add TO rules, e.g. ip route add to 172.55.0.0/24 table main priority - and masquerade accordingly if configured to reach all of 44.0.0.0/8), or simply connect directly to an AMPR-facing interface. The rule to only use the main table for the eth0 network allows the AMPRNet Gateway to reach 44 hosts on the Public Internet, leaving the operator to provide all routing rules for AMPR-facing interfaces, which is the intent of '''startampr'''.

= Support, bug reports and improvements =

If you have questions to ask about the usage of this script, please contact the [[44Net mailing list]].

If you have improvements to the script and wish to submit a patch, please contact KB3VWG on the [[44Net mailing list]], or via contact details in the [[Portal]]. Thank you!

The daemon was written by Lynwood, KB3VWG, and with major contributions from PE1CHL (for implementation of policy-based IP routing), Heikki Hannikainen, OH7LZB (to version 1.0's integration with '''[[rip44d]]'''), and Marc, LX1DUC (to automate enabling of IP forwarding).

=See also=

* [[Ubuntu Linux Gateway Example]]
* [[Setting up a gateway on Linux]]
* [[ampr-ripd]]
* [[Encap.txt]]
* [[munge script]]
* [[rip44d]]

= Links =

* [http://www.qsl.net/kb9mwr/wapr/tcpip/rip44d.html Alternative installation instructions by KB9MWR]
* [http://marc.storck.lu/blog/2013/08/howto-setup-an-amprnet-gateway-on-linux/ Alternative installation instructions by Marc, LX1DUC]
* [(link to KB3VWG's site here) Detailed Readme and Installation instructions by KB3VWG]

Startampr

2017-06-05T14:01:43Z

Kb3vwg: /* Script */ change optional IP numbering of tunl0 to required

'''startampr''' is a custom suite of [https://en.wikipedia.org/wiki/Bash_%28Unix_shell%29 Bourne Again Shell] scripts developed by KB3VWG and others in the [[44Net mailing list]] Community, that turns a Debian/Ubuntu-based Linux machine into an AMPR [[Gateway]] on boot; and starts an [https://en.wikipedia.org/wiki/IP_in_IP IPENCAP] (or [https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers IP Protocol] number four) tunnel. The primary advantage to using this suite is that it executes and enables AMPR RIP44 daemons, munge scripts, interfaces and routing commands in proper boot order; and references them using the command syntax, default command arguments and practices that have become the de facto standard on [[AMPRNet]]. It is also minimally invasive, in that the machine otherwise remains an "untouched" default installation; and can be returned to an OEM Ubuntu installation by simply removing all associated files and uninstalling all packages added when configuring the machine to run '''startampr''' (please assist me in developing an uninstall script, if interested). Also, if you install a server GUI (e.g. [http://www.webmin.com Webmin]), you can disable the routing features of the machine simply by checking a box, and hitting APPLY (on next reboot, it is disabled). '''The current versions are 1.0 (no longer developed), and 2.0, released to the [[44Net mailing list]] Community on May 26, 2017 at 14:14 UTC.

== Detailed Summary ==

In addition to the first and main script, '''startampr''', other tools included with the official release are: init scripts to execute the file, save the routing table (if using a method that does not automatically save it); and an executable script generator (made using [http://linux.die.net/man/1/sed the sed command]) that can restore the AMPR routing table (i.e. in the case the administrator flushes the table). The script uses the [http://www.linuxfoundation.org/collaborate/workgroups/networking/tunneling ipip Linux Kernel module] and implements [http://linux.die.net/man/8/ip Linux ip] routing table's [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] to properly move traffic across the routing plane. It is suggested that [https://en.wikipedia.org/wiki/Iptables iptables] be used to firewall traffic after verification of a proper installation.

The official release uses [[rip44d]] as its [[RIP]]44 protocol daemon; but [[ampr-ripd]] or [[Encap.txt]] with a [[munge script]] may be used (instructions by KB9MWR use ampr-ripd). '''To operate a [[Gateway]] on [[AMPRNet]], you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol, named [[RIP]]44 is used. [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] is not the same as [[RIP]]44.''' rip44d is written in the Perl programming language by Heikki Hannikainen, OH7LZB. [[ampr-ripd]] is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. The developer choose rip44d simply because it was the only daemon available when version 1.0 was developed. The use of any method to add route information to table 44 will work. It should be noted that: '''startampr''' was developed around '''rip44d'''; and improves on features not included (e.g. reload of routing table upon reboot). The scripts to backup/restore are not needed when using [[ampr-ripd]] (but can be developed to provide geographically-local tertiary sources of the AMPR routing table).

'''NOTE: if you do not wish to compile software, you must use [[rip44d]] or [[Encap.txt]] with a [[munge script]].'''

== 2.0 Security Update ==

'''startampr 2.0's code includes a security fix that corrects a routing issue that allows unencapsulated traffic from the tunnel to leak onto the LAN or Public Internet interface in version 1.0 - this only occurs when a AMPRNnet-facing user attempts to connect using invalid source IPs or invalid AMPRNet IP address'''. In original development of version 1.0, it was considered that this behavior could be valid to reach subnets ran by operators using the option at: [[Announcing your allocation directly]]; '''but do not make their tunnel available on a non-44.0.0.0/8 address''' (it was announced on the [[44Net mailing list]] on 04AUG2015, that AMPRGW now routes traffic to/from BGPed and IPENCAPed AMPR subnets, making this programmatic workaround unnecessary).

It is a generally accepted practice on the Internet that network operators source filter their traffic, making BGPed subnets an exception for AMPRNet Gateways (see [https://tools.ietf.org/html/rfc3013 RFC3013, section 4.3 and 4.4]). It is also accepted AMPRNet practice that these operators consider running a tunneled Gateway on any non-AMPRNet IP available for accessibility to/from those running IPENCAP Gateways. It may be useful to also have redundant VLANs on two or more interfaces possessing the same Public IP at two or more borders; and run a script between the AMPR Gateways - using [https://en.wikipedia.org/wiki/Dynamic_DNS Dynamic DNS] to synchronize them, verify if connectivity goes down on either device's tunl0 interface and update the [[Portal]] accordingly.

I'm happy and willing to work with any BGP subnet operator who wishes to develop a script to establish an AMPR Gateway for your multi-homed AMPRNet BGPed subnet.

= Requirements, Installation Overview and Features =

# You'll need a Linux computer, which has been added in the Gateways file using the [[Portal]], so that it is known as an AMPRnet Gateway; and will receive RIP44 updates from the main [[Gateway]]. It will take some time before Amprgw will learn about new gateways.
# The instructions below are currently only for Debian/Ubuntu, but there's nothing Debian-specific - it should work fine on other distributions (if the correct packages used (e.g. wget/curl, The Bourne Again Shell/BASH, sed, ip, chmod, PERL, etc.) Interface names, file and folder locations, file permissions, etc. are edited.

You must first properly install:
* the operating system and network interfaces
* then properly install '''startampr''' at '''/usr/local/sbin''' to enable the tunnel. '''The tunnel interface must be operational and in 'UP' status before proceeding.'''
* the [[RIP]]44 daemon ([[rip44d]] uses the location '''/usrlocal/sbin/''') which receives periodic routing table updates from the [[AMPRNet]] routing service, and inserts them in the Linux routing table of your choice (most users use table 44; and the scripts use this value as well). '''You must verify that you are receiving route information before proceeding.'''
* boot script for '''startampr''', to '''/etc/init/'''
* (Optional) a script to backup the routing table and create a corresponding restore script, at '''/etc/cron.hourly/'''
* (Optional) a script to restore the AMPRNet routing table on boot, at '''/etc/if-ip.d/'''

= Installation of startampr =

Install the the script to '''/usr/local/sbin''' and '''sudo chmod ug+x /usr/local/sbin/startampr'''

After obtaining the correct password from the route announcement and entering it into the properly configured script, install the boot and interface-up scripts (sample init scripts provided).

The additional script '''/etc/cron.hourly/backup_ampr''' creates an hourly backup of the AMPR routing table, located in two files at '''/usr/local/sbin''':

* '''/usr/local/sbin/table44_bak ''' - It is a text file that contains a copy of output from the command: 'ip route get table 44'
* '''/usr/local/sbin/restore44sh''' - It contains a copy of '''table44_bak''' with the command "ip route add table 44 " appended to each line. '''backup_ampr''' gives this file executable permissions to user:root and group:root. Execute this file using the command: '''sudo ./usr/local/sbin/restore44sh''' to restore your routing table if the need ever occurs.

You can verify the backup is running by issuing the command: '''ls -l /usr/local/sbin/restore44sh''' and '''ls -l /usr/local/sbin/table44_bak'''
If the machine has been up, the files should be no more than an hour old.

That should be all. Really. The downside of this configuration is that it will take up to 5 minutes for the gateway to receive a routing update and become operational after a reboot. The additional scripts provided store the current routing table in a local file hourly and load it from there when starting up. Thereafter, after every hour of uptime your routing table is backed up at :17 on the hour. This backup can be used if you ever need to execute the ip command to flush table 44.

= Installation of dependencies on Debian/Ubuntu =

'''If you use rip44d''', install perl, and IO::Socket::Multicast, a Perl module used for receiving the RIP multicast packets

sudo apt-get install perl libio-socket-multicast-perl libio-interface-perl

recommended:

sudo apt-get install traceroute openssh-server ipset

= Installation of dependencies on other distributions =

Other distributions should have an easy way to install the required packages too (using yum or a similar program). Please fill in details here, if you know them.

= Script =

#!/bin/bash
#############################################################
###STARTAMPR v2.0 May 26, 2017###
###
### TO DO - Have the AMPRNet Community test and verify
###
### CHANGELOG
###
### v2.0 RC4
### - Dialogue about how to add routes and rules for any created test subnet(s).
###
### v2.0 RC3
### - Exclusively seperates route and tables, as well as priotities by: class and type
### - This makes unnecessary the exclusion of local subnets in ampr-ripd using the '-a' switch,
### by adding local 44 network(s) to a higher priority routing table
### - This should enable you can to become a tunnel GW for BGPed 44/8 subnets
### - Provides table 7777 as a BLACKHOLE/NULL Route
### - Adds script to load last hourly backup of table 44 on boot
### - With script backup_ampr, creates a backup of the routing table a file named table44_bak
### and an executable restore44sh hourly to use on the running machine to
### restore table 44 if the table needs to be flushed during uptime
###
### v2.0
### - Streamlined commands and routes
### - Placed syntax for Debian/Ubuntu and OpenWRT/LEDE devices
#############################################################
## This script was developed by KB3VWG on a standard
## Ubuntu 16.04.2 LTS PC eth0 configured to the Public facing
## LAN and eth1 to the 44LAN. It is designed to enable an
## AMPR Router using the ampr-ripd v2.0, the standard ampr-ripd,
## using the -t switch to add routes to routing table '44'
## with no further configuration needed (firewall optional)
##############################################################
##################################################################
## This script was modified by LX1DUC to automate even more tasks.
##################################################################
##################################################################
## Thanks to PE1CHL for discovering the need for policy-based routing
## Thanks to KI4SZJ for testing v2.0
##################################################################

### ENABLE IP FORWARDING ###
sysctl -w net.ipv4.ip_forward=1
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr

################### AMPRNet IPENCAP UBUNTU SYNTAX #######################
# modprobe ipip
# ip tunnel add tunl0 mode ipip
###NUMBER tunl0 with a /32 from your allocation
###(you may reuse this IP on an Ethernet interface
# ip addr add <IP from your 44>/32 dev tunl0
# ip link set tunl0 mtu 1480 up
# ip tunnel change tunl0 ttl 64 pmtudisc

################### AMPRNet IPENCAP OpenWRT/LEDE SYNTAX #######################
# ip tunnel add tunl0
# ip tunnel change tunl0 mode ipip ttl 64 pmtudisc
###(you may reuse this IP on an Ethernet interface
# ip addr add <IP from your 44>/32 dev tunl0
# ip link set tunl0 mtu 1480 up

################### OPTIONAL - DEFAULT ROUTE FOR INTERNET ACCESS #######################
ip route add default dev tunl0 via <AMPRGW_IP> onlink proto 44 table 44

################### POLICY-BADED ROUTING #######################
###OPTIONAL LOCAL RULES
ip rule add from <CIDR_44_allocation> to <LAN e.g. 192.168.1.0/24> table main priority 22

#REQUIRED RULES
ip rule add to <CIDR_44_allocation> table main priority 44
ip rule add dev tunl0 table 44 priority 45
ip rule add dev <interface_for_44LAN> table 44 priority 46
ip rule add from <CIDR_44_allocation> table 44 priority 47

###SOME OF THIS MAY BE NEEDED TO RUN ampr-ripd from another folder than the compile option
###make sure you create the correct save and working folders, etc if you cant recompile ampr-ripd
# This directory is not persistent on OpenWRT/LEDE, it must be made on boot for dynamic filtering
# mkdir /var/lib/ampr-ripd
# Create a blank bootstrap file at /etc/config/encap.txt for this to work
# ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# cd /usr/local/sbin

################### RUN AMPR-RIPD
################### WITH DYNAMIC FIREWALL SCRIPT USING -x
################### see http://wiki.ampr.org/wiki/Firewalls for dynamic script
./ampr-ripd-2.0.x64_Ubuntu16 -i <tunl_interface> -t 44 -a <CIDR_44_allocation> -s -x '/etc/config/load_ipipfilter.sh' &

= Notes =

* '''startampr documentation uses tunl0 as the tunnel interface (it is the default on RIP44 daemons) and table 44 for those routes. Use the -i <if> and -t <ip table> option to change to another. The command arguments differ between [[rip44d]] and [[ampr-ripd]]. startampr uses rip44d. See the documentation for the RIP44 programs if decide to use custom interfaces, tables or switch to a routing daemon other than [[rip44d]].'''
* '''The script places the routing daemon at /usr/local/sbin/rip44d_<version number> (this assists in preventing inadvertent running of RIP44 Protocol before you have configured startampr.
* '''The routing rules do not account for rogue traffic containing both an invalid source and destination IP (which the security of the [[Portal]] generally prevents). Use iptables to DROP forwarding of all traffic entering tunl0 not matching a source or destination of in your allocated subnet(s). This can be done by adding adding rules to drop forwarding, by default, packets not possessing correct source and destination IPs in the range of 44.0.0.0/8, etc.'''
* The -a <IP in [[Portal]]> is used to remove your routes from the table (which is incorrect, as they are local). '''startampr''' places your local routes in a higher routing table, eliminating the need to use the -a argument. This is a good feature for those who are assigned a dynamic IP address from their Internet Service Provider.
* The tunnel interface must be up and configured before '''rip44d''' starts up. '''startampr''' places this command in the proper location.
* rip44d automatically adds an AMPR route to the Main AMPRNet Gateway on table 44
* The '''startampr''' backup script '''/etc/cron.hourly/backup_ampr''' is added to a folder that is configured in Ubuntu, by default, to run scripts at :17 after the hour. The Main AMPR Gateway sends an update every five minutes. For advanced instructions on changing this time interval, see [https://help.ubuntu.com/community/CronHowto the Ubuntu Community cron HowTo].
* A strict assortment of: file permissions, naming conventions and leading characters (e.g. '''"#!/bin/bash"''') are required in '''/etc/init/''', '''/etc/if-up.d/''' (used in a script to reload table 44 on boot) and '''/etc/cron.hourly/'''. Note that: '''startampr''' has properly named those files. If you wish to edit them, please follow the documentation and README for more details.
* '''Please note that: any machine acting as an AMPRNet Gateway must explicitly create high-priority routing rules for all traffic addressed to or from eth0. The network assigned to eth0 must be configured to ONLY use table main.''' No other valid configuration has been found to properly work (discovered by PE1CHL and tested by KB3VWG and others in the [[44Net mailing list]] Community). '''This is due to the unique fact that, on AMPRNet routers, 44.0.0.0/8 exists on both the Public (eth0) and AMPRNet-facing (tunl0) sides of the device. There is no way to properly differentiate the route or destination interface of the traffic received from 44.0.0.0/8 over tunl0 (with your 44Router's 44 IP address), versus that from eth0 (on the Gateway's Public-facing IP). Meaning, there is no way to route traffic for all cases, except by SOURCE OR DESTINATION IP ADDRESS. Therefore, ALL traffic to and from the network facing eth0, must use eth0.''' In order to access your AMPRNet from a local network, you must create another routable LAN (and add TO rules, e.g. ip route add to 172.55.0.0/24 table main priority - and masquerade accordingly if configured to reach all of 44.0.0.0/8), or simply connect directly to an AMPR-facing interface. The rule to only use the main table for the eth0 network allows the AMPRNet Gateway to reach 44 hosts on the Public Internet, leaving the operator to provide all routing rules for AMPR-facing interfaces, which is the intent of '''startampr'''.

= Support, bug reports and improvements =

If you have questions to ask about the usage of this script, please contact the [[44Net mailing list]].

If you have improvements to the script and wish to submit a patch, please contact KB3VWG on the [[44Net mailing list]], or via contact details in the [[Portal]]. Thank you!

The daemon was written by Lynwood, KB3VWG, and with major contributions from PE1CHL (for implementation of policy-based IP routing), Heikki Hannikainen, OH7LZB (to version 1.0's integration with '''[[rip44d]]'''), and Marc, LX1DUC (to automate enabling of IP forwarding).

=See also=

* [[Ubuntu Linux Gateway Example]]
* [[Setting up a gateway on Linux]]
* [[ampr-ripd]]
* [[Encap.txt]]
* [[munge script]]
* [[rip44d]]

= Links =

* [http://www.qsl.net/kb9mwr/wapr/tcpip/rip44d.html Alternative installation instructions by KB9MWR]
* [http://marc.storck.lu/blog/2013/08/howto-setup-an-amprnet-gateway-on-linux/ Alternative installation instructions by Marc, LX1DUC]
* [(link to KB3VWG's site here) Detailed Readme and Installation instructions by KB3VWG]

Archive/Main Page

2017-05-27T12:24:22Z

Kb3vwg: added date to AMPRGW IP change notice

Welcome to the AMPRNet Wiki.

Since its allocation to Amateur Radio in the mid-1980's, Internet network 44 (44.0.0.0/8), known as the AMPRNet™, has been used by amateur radio operators to conduct scientific research and to experiment with digital communications over radio with a goal of advancing the state of the art of Amateur Radio networking, and to educate amateur radio operators in these techniques. - [http://www.ampr.org/ www.ampr.org]

'''IMPORTANT INFORMATION:'''
'''MAY 2017 - Please be advised that the IP of AMPRGW will change in the near future, see the Services page for the new host address.'''
__NOTOC__
== Starting points ==
* [[Quickstart]] guide for getting onto the [[AMPRNet]]
* Basic information about the [[AMPRNet]] and the [[ampr.org]] domain
* [[Services]] available on AMPRNet
* If you are looking to get an IP allocation within the 44/8 AMPRNet please read the [[Portal]] page.
* Frequently Asked Questions (FAQ) [[FAQ]]

== How to connect to AMPRNet ==

* Instructions for [[Setting up a gateway on Linux|setting up a Linux gateway]]
* Instructions for [[Setting up a gateway on OpenBSD|setting up an OpenBSD gateway]]
* Instructions for [[setting up a gateway on Cisco Routers|setting up a gateway on Cisco Routers]].
* Instructions for [[setting up a gateway on MikroTik Routers|setting up a gateway on MikroTik Routers]].
* Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].
* Instructions for [[setting up a gateway on Ubiquiti EdgeRouter|setting up a gateway on Ubiquiti EdgeRouter]].
* Instructions for [[announcing your allocation directly|directly announcing your allocation via your Internet Service Provider (ISP)]].
* Instructions for [[AMPRNet VPN|Accessing AMPRNet via VPN]] (experimental).
* [[Why can't I just route my AMPRNet allocation directly myself ?]]
* If you already operate a [[gateway]] please ensure you have registered on the [[portal]] and "claimed" your [[gateway]].

== Mailing List ==
To keep up-to-date on AMPRNet information please consider joining the [[44Net mailing list]].

== Contribute! ==
If you wish to contribute to the wiki, please send an email to <tt>wiki (at) ampr.org</tt> introducing yourself. Please specify your full name, amateur radio callsign and your preferred username. A login will then be created for you.

== Terms of Service ==
Use of 44.0.0.0/8 address space is governed by these [http://www.ampr.org/terms-of-service/ Terms of Service]

== All Pages ==
[http://wiki.ampr.org/wiki/Special:AllPages Here's a list of all pages currently on the AMPRNet Wiki]