Ubuntu Linux Gateway Example: Difference between revisions
m new AMPRGW IP |
|||
(104 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
The following are the steps necessary to create a general purpose gateway to AMPRNet using an Ubuntu Linux Server. | The following are the steps necessary to create a general purpose gateway to AMPRNet using an Ubuntu Linux Server. | ||
'''(NOTE: A script has been developed to streamline setup of a [[Gateway]], see: [[startampr]])''' | |||
==Cautions== | |||
* Some of these changes may disrupt your Internet Connection! Make sure you have a backup way to reach the Internet to look up information and ask for help! | |||
* Be sure to read through all the directions and make sure you understand what you are doing before proceeding. | |||
* It may be helpful to print out these directions (and related material) for reference. | |||
* '''Be sure to be aware of the security implications of performing these steps. While the steps here try to maximize security for your "non-ham" devices, be aware that these steps may expose those devices to hackers, criminals, and script-kiddies'''. | |||
Finally, to paraphrase from the Broadband-Hamnet(tm) folks: | |||
'''As with ANY piece of Ham radio gear, AMPRNet COULD be used illegally, and it is the control operator's duty to make sure it is being used in accordance with your local Amateur Radio rules.''' | |||
'''This website is not in a position to offer any definitive legal advice. Only a duly appointed person, empowered to interpret the rules and regulations, can do that. That means that for most of us, our opinion has no legal standing – no more than any personal opinion on tax law.''' | |||
You only need to setup a gateway if: | You only need to setup a gateway if: | ||
* You want to access AMPRNet resources that are not accessible from the | * You want to access AMPRNet resources that are not accessible from the global Internet. | ||
* You want to provide access to AMPRNet over RF (via packet or using WiFi). | * You want to provide access to AMPRNet over RF (via packet or using WiFi) and there doesn't exist such a service in your area. | ||
==Design== | ==Design== | ||
The basic design consists of a standard PC running Ubuntu 12.04 (LTS) and three network connections: | The basic design consists of a standard PC running Ubuntu 12.04 (LTS) and three network connections: | ||
# The first connection is to your ISP so you can reach the Internet. | # The first connection (<tt>eth0</tt>) is to your ISP so you can reach the Internet. | ||
# The second connection is used to connect your normal "non-ham" devices to the Internet. | # The second connection (<tt>eth1</tt>) is used to connect your normal "non-ham" devices to the Internet. | ||
# The third connection is used to connect your "ham" devices so they can see and be seen by other AMPRNet | # The third connection (<tt>eth2</tt>) is used to connect your "ham" devices so they can see and be seen by other devices on AMPRNet. | ||
The following diagram | The following diagram illustrates the gateway design. | ||
(Click on the image to enlarge). | (Click on the image to enlarge). | ||
[[File:AMPRNetGatewayDiagram.png| | [[File:AMPRNetGatewayDiagram.png| 500 px]] | ||
==Prerequisites (What do I need to get started?)== | ==Prerequisites (What do I need to get started?)== | ||
===Hardware=== | ===Hardware you will need=== | ||
I'm running my gateway on an old Dell Optiplex GX260 (a Pentium 4 with 512 MB of RAM and a 20 GB Hard drive). You don't need much of a system if your Internet Service Provider's bandwidth is 100Mb/s or less. | I'm running my gateway on an old Dell Optiplex GX260 (a Pentium 4 with 512 MB of RAM and a 20 GB Hard drive). You don't need much of a system if your Internet Service Provider's (ISP) bandwidth is 100Mb/s or less. | ||
Along with the built in Ethernet network interface, I've installed two additional 10/100 Ethernet network cards I purchased from Amazon. | Along with the built in Ethernet network interface, I've installed two additional 10/100 Ethernet network cards I purchased from Amazon. | ||
===Software=== | ===Software you will need=== | ||
On the Dell I've installed [http://www.ubuntu.com/ Ubuntu 12.04 LTS] (the 32-bit server version). With one exception all of the software you will need for the gateway you can get with the server. | On the Dell I've installed [http://www.ubuntu.com/ Ubuntu 12.04 LTS] (the 32-bit server version). With one exception all of the software you will need for the gateway you can get with the server. | ||
===IP Addresses=== | ====Installing Required Linux Software==== | ||
Install the Ubuntu Linux Distribution on your gateway hardware following the instructions on Ubuntu's web site. | |||
After you have installed Ubuntu, you will need to upgrade it with the latest fixes and patches. To do this, you will need to login with the username and password you setup when installing Ubuntu and type the following commands: | |||
<code><pre>sudo apt-get update</pre></code> | |||
You will be prompted for your password and then your gateway will update its database of software to the latest version. | |||
To actually update the sotfware, type the following command: | |||
<code><pre>sudo apt-get upgrade</pre></code> | |||
Enter <tt>yes</tt> when prompted to install the updates. | |||
You will probably need to restart your gateway after installing your updates. To do this type: | |||
<code><pre>sudo shutdown -r now</pre></code> | |||
Your gateway should shutdown and restart. Log back in. | |||
After you have completed upgrading your operating system, you will need to install the following software packages: | |||
; isc-dhcp-server : This software will be used to assign IP addresses dynamically to your "non-ham" and "ham" devices. | |||
; iptables : This software will help protect your gateway, "non-ham" devices, and AMPRNet devices from hackers. | |||
; iptables-persistent : You will need this make sure your iptables settings are remembered when you restart your gateway | |||
To install the software packages type the following at the command line on your gateway hardware: | |||
<code><pre>sudo apt-get install isc-dhcp-server iptables iptables-persistent</pre></code> | |||
===Obtain the IPv4 Addresses you will need=== | |||
====What is an IPv4 Address ?==== | ====What is an IPv4 Address ?==== | ||
An IPv4 address is a unique 32-bit binary number that is assigned to every publicly connected Internet device. | An IPv4 address is a unique 32-bit binary number that is assigned to every publicly connected Internet device. | ||
To make the address easy for humans to read, it is usually represented as a four decimal numbers separated by periods ( | To make the address easy for humans to read, it is usually represented as a four decimal numbers separated by periods (example - <tt>192.0.0.2</tt>). | ||
More information on IPv4 addresses can be found in this [http://en.wikipedia.org/wiki/IP_address | More information on IPv4 addresses can be found in this [http://en.wikipedia.org/wiki/IP_address Wikipedia] article. Take some time to read it over, it will help make it easier to understand the following steps. | ||
====Static IPv4 from your ISP==== | ====Obtain a "Static" IPv4 from your ISP==== | ||
=====What is a "Static" IP ?===== | =====What is a "Static" IP ?===== | ||
Normally your ISP assigns your router a public IPv4 address dynamically from a pool of IPv4 addresses shared by many customers. | Normally your ISP assigns your router a public IPv4 address dynamically from a pool of IPv4 addresses shared by many customers. | ||
This means that your Public IPv4 address can change periodically and without notice. Usually this isn't a big issue for most normal users, however it can cause problems when trying implement an AMPRNet gateway. | This means that your Public IPv4 address can change periodically and without notice. Usually this isn't a big issue for most normal users, however it can cause problems when trying implement an AMPRNet gateway. | ||
While it is possible to make AMPRNet gateways work with a dynamically assigned address, there could be a significant time lag between the time your Public IPv4 address changes and when others on AMPRNet learn about the new gateway address. During this time your AMPRNet subnet may be unreachable. | While it is possible to make AMPRNet gateways work with a dynamically assigned address, there could be a significant time lag between the time your Public IPv4 address changes and when others on AMPRNet learn about the new gateway address. During this time your AMPRNet subnet may be unreachable. | ||
Therefore, I recommend asking your ISP for a "static" IPv4 address. A "static" IPv4 address is one that doesn't change. Usually your ISP will set you up with one for a small setup fee and monthly recurring fee. It is well worth the | Therefore, I recommend asking your ISP for a "static" IPv4 address. A "static" IPv4 address is one that doesn't change. Usually your ISP will set you up with one for a small setup fee and small monthly recurring fee. It is well worth the extra cost to insure a stable gateway. | ||
When you ask for a "static" IPv4 address, your ISP will provide you with the following information that you will need to configure your server. | When you ask for a "static" IPv4 address, your ISP will provide you with the following information that you will need to configure your server. | ||
'''Caution!!!: Once you request a "static" IPv4 address from your ISP, you will need to complete the rest of this setup before you will be able to re-connect your "non-ham" devices to the Internet!!!''' | |||
; IP Address (example - <tt>192.0.2.2</tt>) : The "static" IP Address itself. | ; IP Address (example - <tt>192.0.2.2</tt>) : The "static" IP Address itself. | ||
; Netmask (example - <tt>255.255.255. | ; Netmask (example - <tt>255.255.255.0</tt>) : The netmask is used to determine what part of the IPv4 address is the "network" portion and what portion is the "host" (a good analogy is a Postal Code (network) vs. a House Number (host)). | ||
; Default Gateway (example - <tt>192.0.2.1</tt>) : The default gateway is an IP address that you send traffic to reach the rest of the Internet | ; Default Gateway (example - <tt>192.0.2.1</tt>) : The default gateway is an IP address that you send traffic to to reach the rest of the Internet. | ||
; DNS Server Addresses : DNS | ; DNS Server Addresses (example - <tt>192.0.2.23,192.0.2.24</tt>: DNS server addresses are the IP addresses of systems that look up the IP address of a device you specify by name. (When you type "google.com" into your browser, the DNS Servers look up the IP address for "google.com" to know where to send your search request. | ||
Please make sure you copy this information down carefully and verify it with your ISP. Your gateway will not work correctly without it! | |||
====Decide on Private IPv4 Addresses for "Non-Ham" Devices==== | |||
Your "non-ham" devices will need their own IP Addresses, separate from AMPRNet. Normally these addresses are assigned from what is known as [http://en.wikipedia.org/wiki/RFC1918#Private_IPv4_address_spaces private address space]. Your gateway will take care of routing traffic to and from this private address space to the public Internet. | |||
For this example, let's use the private network <tt>192.168.11.0</tt>. The relevant information would be: | |||
* IP Address for our gateway: <tt>192.168.11.1</tt> | |||
* Netmask <tt>255.255.255.0</tt> | |||
* Default Gateway: <tt>192.168.11.1</tt> (Our gateway will be the default gateway for devices on the "non-ham" network). | |||
* DNS Name Servers: Use the same DNS Name server IP Addresses given to you by your ISP. | |||
====Obtain an AMPRNet IPv4 Address Allocation and Register Your Gateway==== | |||
Once you have your "static" IPv4 address from your ISP; you will need to go the [http://portal.ampr.org/ AMPRNet Portal], [[request an AMPRNet subnet]] from a regional coordinator, and [[register your gateway]]. | |||
For this example we will use a range of AMPRNet addresses that is reserved for testing and documentation. | |||
'''Caution!!!: In order to make sure your AMPRNet gateway and subnet is reachable by others, you MUST obtain and use a production AMPRNet subnet!!!''' | |||
* IP Address : <tt>44.128.10.1</tt> | |||
* Netmask : <tt>255.255.255.0</tt> | |||
* Default Gateway : <tt>44.128.10.1</tt> | |||
* DNS Name Servers : 8.8.8.8, 8.8.4.4 (I use Google's DNS Servers because my ISP doesn't allow queries from subnets other than their own) | |||
==Setting up the ISP (Internet) Interface== | ==Setting up the ISP (Internet) Interface== | ||
===Configuring the interface=== | ===Configuring the interface=== | ||
To configure the ISP Interface, type the following command to edit the file <tt>/etc/networking/interfaces</tt>: | |||
<code><pre>sudo nano /etc/network/interfaces</pre></code> | |||
Find the section that looks like this: | |||
<code><pre> | |||
auto eth0 | |||
iface eth0 inet dhcp | |||
</pre></code> | |||
Change it to look like the following ('''Remember to substitute the information you received from your ISP!!!'''): | |||
<code><pre> | |||
auto eth0 | |||
#iface eth0 inet dhcp | |||
iface eth0 inet static | |||
address 192.0.2.2 | |||
netmask 255.255.255.0 | |||
gateway 192.0.2.1 | |||
dns-nameservers 192.0.2.23 192.0.2.24 | |||
</pre></code> | |||
Double check that the information is correct then save the file by pressing <tt>CTRL-X</tt> and then <tt>Y</tt> to save the file. | |||
To make the changes take effect, type the following commands: | |||
<code><pre> | |||
sudo ifdown eth0 | |||
sudo ifup eth0 | |||
</pre></code> | |||
===Testing=== | ===Testing=== | ||
At this point you should be able to reach the Internet from the gateway (but not from "non-ham" or "ham" devices yet). | |||
To test, type the following command: | |||
<code><pre>ping 8.8.8.8</pre></code> | |||
You should see something like: | |||
<code><pre> | |||
njohnsn@srv01:~$ ping 8.8.8.8 | |||
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. | |||
64 bytes from 8.8.8.8: icmp_req=1 ttl=46 time=127 ms | |||
64 bytes from 8.8.8.8: icmp_req=2 ttl=46 time=128 ms | |||
64 bytes from 8.8.8.8: icmp_req=3 ttl=46 time=130 ms | |||
</pre></code> | |||
Press <tt>CTRL-C</tt> to stop the program. | |||
If you see something different, please check the following: | |||
# That the correct network interface on the gateway system is connected to your ISP (cable or DSL modem). | |||
# Double check the settings in the <tt>/etc/network/interfaces</tt> file. | |||
Don't continue to the next steps until you are successfully able to get the gateway connected to the Internet. | |||
==Setting up the "Non-Ham" Network Interface== | ==Setting up the "Non-Ham" Network Interface== | ||
Now we need to configure things so that you can connect your "non-ham" devices to the Internet. | |||
===Configuring the Interface=== | ===Configuring the Interface=== | ||
Once again you will need to edit the file <tt>/etc/network/interfaces</tt> by type the following: | |||
<code><pre>sudo nano /etc/network/interfaces</pre></code> | |||
Find and edit or add the following section: | |||
<code><pre> | |||
auto eth1 | |||
iface eth1 inet static | |||
address 192.168.11.1 | |||
netmask 255.255.255.0 | |||
</pre></code> | |||
and execute the following commands: | |||
<code><pre> | |||
sudo ifdown eth1 | |||
sudo ifup eth1 | |||
</pre></code> | |||
===Setting up DHCP=== | ===Setting up DHCP=== | ||
== | DHCP stands for Dynamic Host Configuration Protocol and is used to assign IP addresses to hosts dynamically. | ||
To configure DHCP for our "non-ham" devices you will need to edit the file <tt>/etc/dhcp/dhcpd.conf</tt>. | |||
<code><pre> | |||
sudo nano /etc/dhcp/dhcpd.conf | |||
</pre></code> | |||
Uncomment (remove the <tt>#</tt> from the start of the line) the following line: | |||
<code><pre> | |||
authoritative; | |||
</pre></code> | |||
Add the following lines to the end of the file ('''Remember to substitute the address for your DNS Servers''') | |||
<code><pre> | |||
option domain-name "local"; | |||
option domain-name-servers 192.0.2.23, 192.0.2.24; | |||
subnet 192.168.11.0 netmask 255.255.255.0 { | |||
range 192.168.11.20 192.168.11.128; | |||
option routers 192.168.11.1; | |||
} | |||
</pre></code> | |||
and save the file. | |||
Next we will need to restart the DHCP server software by typing the following: | |||
<code><pre> | |||
sudo service isc-dhcp-server restart | |||
</pre></code> | |||
==Enabling forwarding== | |||
Now, we will need to enable "forwarding" of traffic through the gateway. | |||
To do this we will need to edit the file <tt>/etc/sysctl.conf</tt>. | |||
<code><pre> | |||
nano /etc/sysctl.conf | |||
</pre></code> | |||
Find the following section and do what it recommends. It should end up looking like this: | |||
<code><pre> | |||
# Uncomment the next line to enable packet forwarding for IPv4 | |||
net.ipv4.ip_forward=1 | |||
</pre></code> | |||
Save the file and restart your gateway with <tt>sudo shutdown -r now</tt>. | |||
==Setting up the Firewall (Part 1)== | ==Setting up the Firewall (Part 1)== | ||
Now will we need to setup the Firewall using <tt>iptables</tt>. | |||
The [http://www.cyberciti.biz/tips/linux-iptables-examples.html following article]gives a good overview of <tt>iptables</tt>. | |||
The firewall will serve two purposes: | |||
# Allow your "non-ham' devices on private address space to access the Internet buy using NAT. | |||
# Help protect your gateway and "non-ham" devices. | |||
===What is NAT?=== | |||
NAT stands for Network Address Translation. | |||
NAT is what is used in your typical home router or wireless Access | |||
Point (AP) to allow you to connect multiple devices to one Internet | |||
Service Provider (ISP) connection. | |||
Basically NAT makes all your devices on your home network appear as | |||
one device to the ISP. It does this by keeping track of the data | |||
coming from each of your devices and makes sure that the return data | |||
from the Internet gets back to the right device. | |||
===Setting up NAT=== | ===Setting up NAT=== | ||
Setting up NAT for our "non-ham" devices requires the following command: | |||
'''(Be sure to substitute your "static" IP address in the <tt>--to-source</tt> option)''' | |||
<code><pre> | |||
sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.0.2.2 | |||
</pre></code> | |||
===Protecting the Gateway=== | ===Protecting the Gateway=== | ||
First, we need to define our default Firewall Policies: | |||
* DROP all traffic headed for our gateway | |||
* ACCEPT all traffic headed out from our gateway | |||
* DROP all traffic to be forwarded between interfaces | |||
To do this type the following commands: | |||
<code><pre> | |||
sudo iptables -P INPUT DROP | |||
sudo iptables -P OUTPUT ACCEPT | |||
sudo iptables -P FORWARD DROP | |||
</pre></code> | |||
Next we need to allow access to the "loopback" interface (The loopback interface is used internally by Linux on the gateway). | |||
<code><pre> | |||
sudo iptables -A INPUT -i lo -j ACCEPT | |||
sudo iptables -A OUTPUT -i lo -j ACCEPT | |||
</pre></code> | |||
Next, we need to allow traffic back into the gateway from connections that were made by the gateway. | |||
<code><pre> | |||
sudo iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |||
</pre></code> | |||
===Protecting the "Non-Ham" Network=== | ===Protecting the "Non-Ham" Network=== | ||
Now we need to allow connections from the "non-ham" network to the Internet and allow the returning traffic from the Internet back to the "non-ham" network. | |||
<code><pre> | |||
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT | |||
sudo iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |||
</pre></code> | |||
===Saving the firewall rules=== | ===Saving the firewall rules=== | ||
To save our firewall rules so far, type the following commands. | |||
<code><pre> | |||
sudo iptables-save > /etc/iptables/rules.v4 | |||
</pre></code> | |||
===Testing=== | |||
At this point you should be able to connect a "non-ham" device to the "non-ham" interface of your gateway, and be able to access the Internet. | |||
'''Note:''' If you are using a home router or wireless access point, you will need to configure it for "bridging mode" in order to use it with your gateway. Check the documentation for your device to see how to do this. | |||
==Setting up the Local "Ham" Network (AMPRNet) Interface== | ==Setting up the Local "Ham" Network (AMPRNet) Interface== | ||
===Configuring the Interface=== | ===Configuring the Interface=== | ||
Once again you will need to edit the file <tt>/etc/network/interfaces</tt> by typing the following: | |||
<code><pre>sudo nano /etc/network/interfaces</pre></code> | |||
Find and edit or add the following section: | |||
'''NOTE: (Be sure to substitute your production AMPRNet subnet you obtained from your regional coordinator)''' | |||
<code><pre> | |||
auto eth2 | |||
iface eth1 inet static | |||
address 44.128.10.1 | |||
netmask 255.255.255.0 | |||
</pre></code> | |||
and execute the following commands: | |||
<code><pre> | |||
sudo ifdown eth2 | |||
sudo ifup eth2 | |||
</pre></code> | |||
===More DHCP=== | ===More DHCP=== | ||
==Setting up the Tunnel to AMPRNet== | To configure DHCP for our "ham" devices you will need to edit the file <tt>/etc/dhcp/dhcpd.conf</tt> again. | ||
<code><pre> | |||
sudo nano /etc/dhcp/dhcpd.conf | |||
</pre></code> | |||
Add the following lines to the end of the file. | |||
'''NOTE: (Remember to substitute your production AMPRNet addresses for the ones in the example)''' | |||
<code><pre> | |||
subnet 44.128.10.0 netmask 255.255.255.0 { | |||
range 44.128.10.2 44.128.10.254; | |||
option routers 44.128.10.1; | |||
option domain-name-servers 8.8.8.8, 8.8.4.4; | |||
} | |||
</pre></code> | |||
Next we will need to restart the DHCP server software by typing the following: | |||
<code><pre> | |||
sudo service isc-dhcp-server restart | |||
</pre></code> | |||
==Setting up the Tunnel and Routing to AMPRNet== | |||
===Automating Gateway Updates with ampr-ripd=== | |||
The easiest way to receive updates is by running <tt>ampr-ripd</tt> | |||
<tt>ampr-ripd</tt> is a C program that listens for updates from the AMPRNet gateway at UCSD and populates a routing table with the routes to all other gateways. | |||
====Getting, compiling, and installing ampr-ripd==== | |||
To get ampr-ripd and install it, type the following | |||
<code><pre> | |||
mkdir ampr-ripd | |||
cd ampr-ripd | |||
wget http://www.yo2loj.ro/hamprojects/ampr-ripd-1.11.tgz | |||
tar -xzvf ampr-ripd-1.11.tgz | |||
sudo make | |||
sudo make install | |||
</pre></code> | |||
====Finding the password for ampr-ripd==== | |||
By default the gateway updates are projected by a password. | |||
To find the password execute the following command after you have installed ampr-ripd | |||
<code><pre> | |||
sudo ./find_pass.sh | |||
</pre></code> | |||
After a short while you should see: | |||
<code><pre> | |||
Waiting for RIPv2 broadcasts... | |||
Simple password: <SecretPassword> | |||
Simple password: <SecretPassword> | |||
Simple password: <SecretPassword> | |||
Simple password: <SecretPassword> | |||
Simple password: <SecretPassword> | |||
Simple password: <SecretPassword> | |||
Simple password: <SecretPassword> | |||
Simple password: <SecretPassword> | |||
Simple password: <SecretPassword> | |||
</pre></code> | |||
Write down the <SecretPassword> and press <tt>CTRL-C</tt> to stop the program. | |||
===Creating a startup script to connect to AMPRNet=== | |||
The following text can be appended to the end of the <tt>/etc/rc.local</tt> file on your gateway to do the following: | |||
# Configure the AMPRNet IPIP Tunnel | |||
# Configure local routing | |||
# Start ampr-ripd | |||
====First a note about netmask notation in the file==== | |||
In the file below your "netmask" is represented differently than you may receive from your ISP. | |||
In this case we are using [http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR notaton]. | |||
For example the netmask <tt>255.255.255.0</tt> is represented by the CIDR notation <tt>/24</tt>. | |||
A good table of netmask to CIDR notation can be found [http://packetlife.net/media/library/15/IPv4_Subnetting.pdf here]. (Courtesy of [http://packetlife.net/ packetlife.net] ). | |||
To add the text edit the <tt>/etc/rc.local</tt> file by: | |||
<code><pre> | |||
sudo nano /etc/rc.local | |||
</pre></code> | |||
Here is the text to append to the file | |||
'''NOTE: Don't forget to substitute your IP addresses for for the ones in the file.''' | |||
<code><pre> | |||
### | |||
## Create AMPRNet Tunnel and routing | |||
## | |||
## Configure Tunnel (put your ISP you received from your ISP Here). | |||
ip tunnel add ampr0 mode ipip local 192.0.2.2 ttl 255 | |||
## Bring it up | |||
ip link set dev ampr0 up | |||
## Enable Multicast in order to receive routes | |||
ifconfig ampr0 multicast | |||
## Configure Policy Based routing | |||
# Packets to 44/8 network use routing table 44 | |||
ip rule add to 44.0.0.0/8 table 44 priority 44 | |||
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) | |||
ip rule add from 44.128.10.0/24 table 44 priority 45 | |||
## Configure static routes | |||
# Default route for table 44 is to send traffic to amprnet gateway at UCSD | |||
ip route add default dev ampr0 via 169.228.34.84 onlink table 44 | |||
# Route packets for our net to local interface (put your AMPRNet Subnet here) | |||
ip route add 44.128.10.0/24 dev eth2 table 44 | |||
## Start ampr-ripd to learn rest of mesh routes | |||
# Be sure to substitute the password you found earlier for <SecretPassword> | |||
# Put your static IP you received from your ISP here. | |||
ampr-ripd -s -i ampr0 -a 192.0.2.2 -t 44 -p <SecretPassword> | |||
exit 0 | |||
</pre></code> | |||
==Setting up the Firewall (Part 2)== | ==Setting up the Firewall (Part 2)== | ||
=== | ===Forwarding Traffic to "Ham" Devices=== | ||
You will need to add the following <tt>iptables</tt> rules to allow traffic to and from your local AMPRNet subnet and the global AMPRNet and allow your "ham" devices to obtain IP addresses via DHCP. | |||
<code><pre> | |||
sudo iptables -A INPUT -i eth2 -p udp -m udp --dport 67 -j ACCEPT | |||
sudo iptables -A INPUT -i eth0 -p ipencap -j ACCEPT | |||
sudo iptables -A FORWARD -s 44.128.0.0/16 -j REJECT --reject-with icmp-port-unreachable | |||
sudo iptables -A FORWARD -d 44.128.0.0/16 -j REJECT --reject-with icmp-port-unreachable | |||
</pre></code> | |||
If you want to only allow AMPRNet traffic to and from your local AMPRNet net add the following rules: | |||
<code><pre> | |||
sudo iptables -A FORWARD -i ampr0 -o eth2 -s 44.0.0.0/8 -j ACCEPT | |||
sudo iptables -A FORWARD -i eth2 -o ampr0 -d 44.0.0.0/8 -j ACCEPT | |||
</pre></code> | |||
Or you can let everything through by adding these rules instead: | |||
'''Caution: This rule allows all traffic between the Global AMPRNet and your local AMPRNet subnet. Be sure you understand the security and legal implications of allowing this traffic, especially when sending traffic over RF!!''' | |||
<code><pre> | |||
sudo iptables -A FORWARD -i ampr0 -o eth2 -j ACCEPT | |||
sudo iptables -A FORWARD -i eth2 -o ampr0 -j ACCEPT | |||
</pre></code> | |||
For ease of troubleshooting it's a good idea to log rejected packets with the following commands: | |||
<code><pre> | |||
sudo iptables -A INPUT -j LOG | |||
sudo iptables -A FORWARD -j LOG | |||
</pre></code> | |||
Finally to save our firewall rules, type the following commands. | |||
<code><pre> | |||
sudo iptables-save > /etc/iptables/rules.v4 | |||
</pre></code> | |||
==Testing== | ==Testing== | ||
At this point you should be able to connect "ham" devices to the "ham" network interface <tt>eth2</tt> and be able to reach the internet. | |||
Latest revision as of 20:19, 26 May 2017
The following are the steps necessary to create a general purpose gateway to AMPRNet using an Ubuntu Linux Server. (NOTE: A script has been developed to streamline setup of a Gateway, see: startampr)
Cautions
- Some of these changes may disrupt your Internet Connection! Make sure you have a backup way to reach the Internet to look up information and ask for help!
- Be sure to read through all the directions and make sure you understand what you are doing before proceeding.
- It may be helpful to print out these directions (and related material) for reference.
- Be sure to be aware of the security implications of performing these steps. While the steps here try to maximize security for your "non-ham" devices, be aware that these steps may expose those devices to hackers, criminals, and script-kiddies.
Finally, to paraphrase from the Broadband-Hamnet(tm) folks:
As with ANY piece of Ham radio gear, AMPRNet COULD be used illegally, and it is the control operator's duty to make sure it is being used in accordance with your local Amateur Radio rules.
This website is not in a position to offer any definitive legal advice. Only a duly appointed person, empowered to interpret the rules and regulations, can do that. That means that for most of us, our opinion has no legal standing – no more than any personal opinion on tax law.
You only need to setup a gateway if:
- You want to access AMPRNet resources that are not accessible from the global Internet.
- You want to provide access to AMPRNet over RF (via packet or using WiFi) and there doesn't exist such a service in your area.
Design
The basic design consists of a standard PC running Ubuntu 12.04 (LTS) and three network connections:
- The first connection (eth0) is to your ISP so you can reach the Internet.
- The second connection (eth1) is used to connect your normal "non-ham" devices to the Internet.
- The third connection (eth2) is used to connect your "ham" devices so they can see and be seen by other devices on AMPRNet.
The following diagram illustrates the gateway design. (Click on the image to enlarge).
Error creating thumbnail: File missing
Prerequisites (What do I need to get started?)
Hardware you will need
I'm running my gateway on an old Dell Optiplex GX260 (a Pentium 4 with 512 MB of RAM and a 20 GB Hard drive). You don't need much of a system if your Internet Service Provider's (ISP) bandwidth is 100Mb/s or less.
Along with the built in Ethernet network interface, I've installed two additional 10/100 Ethernet network cards I purchased from Amazon.
Software you will need
On the Dell I've installed Ubuntu 12.04 LTS (the 32-bit server version). With one exception all of the software you will need for the gateway you can get with the server.
Installing Required Linux Software
Install the Ubuntu Linux Distribution on your gateway hardware following the instructions on Ubuntu's web site.
After you have installed Ubuntu, you will need to upgrade it with the latest fixes and patches. To do this, you will need to login with the username and password you setup when installing Ubuntu and type the following commands:
sudo apt-get update
You will be prompted for your password and then your gateway will update its database of software to the latest version.
To actually update the sotfware, type the following command:
sudo apt-get upgrade
Enter yes when prompted to install the updates.
You will probably need to restart your gateway after installing your updates. To do this type:
sudo shutdown -r now
Your gateway should shutdown and restart. Log back in.
After you have completed upgrading your operating system, you will need to install the following software packages:
- isc-dhcp-server
- This software will be used to assign IP addresses dynamically to your "non-ham" and "ham" devices.
- iptables
- This software will help protect your gateway, "non-ham" devices, and AMPRNet devices from hackers.
- iptables-persistent
- You will need this make sure your iptables settings are remembered when you restart your gateway
To install the software packages type the following at the command line on your gateway hardware:
sudo apt-get install isc-dhcp-server iptables iptables-persistent
Obtain the IPv4 Addresses you will need
What is an IPv4 Address ?
An IPv4 address is a unique 32-bit binary number that is assigned to every publicly connected Internet device.
To make the address easy for humans to read, it is usually represented as a four decimal numbers separated by periods (example - 192.0.0.2).
More information on IPv4 addresses can be found in this Wikipedia article. Take some time to read it over, it will help make it easier to understand the following steps.
Obtain a "Static" IPv4 from your ISP
What is a "Static" IP ?
Normally your ISP assigns your router a public IPv4 address dynamically from a pool of IPv4 addresses shared by many customers. This means that your Public IPv4 address can change periodically and without notice. Usually this isn't a big issue for most normal users, however it can cause problems when trying implement an AMPRNet gateway. While it is possible to make AMPRNet gateways work with a dynamically assigned address, there could be a significant time lag between the time your Public IPv4 address changes and when others on AMPRNet learn about the new gateway address. During this time your AMPRNet subnet may be unreachable.
Therefore, I recommend asking your ISP for a "static" IPv4 address. A "static" IPv4 address is one that doesn't change. Usually your ISP will set you up with one for a small setup fee and small monthly recurring fee. It is well worth the extra cost to insure a stable gateway.
When you ask for a "static" IPv4 address, your ISP will provide you with the following information that you will need to configure your server.
Caution!!!: Once you request a "static" IPv4 address from your ISP, you will need to complete the rest of this setup before you will be able to re-connect your "non-ham" devices to the Internet!!!
- IP Address (example - 192.0.2.2)
- The "static" IP Address itself.
- Netmask (example - 255.255.255.0)
- The netmask is used to determine what part of the IPv4 address is the "network" portion and what portion is the "host" (a good analogy is a Postal Code (network) vs. a House Number (host)).
- Default Gateway (example - 192.0.2.1)
- The default gateway is an IP address that you send traffic to to reach the rest of the Internet.
- DNS Server Addresses (example - 192.0.2.23,192.0.2.24
- DNS server addresses are the IP addresses of systems that look up the IP address of a device you specify by name. (When you type "google.com" into your browser, the DNS Servers look up the IP address for "google.com" to know where to send your search request.
Please make sure you copy this information down carefully and verify it with your ISP. Your gateway will not work correctly without it!
Decide on Private IPv4 Addresses for "Non-Ham" Devices
Your "non-ham" devices will need their own IP Addresses, separate from AMPRNet. Normally these addresses are assigned from what is known as private address space. Your gateway will take care of routing traffic to and from this private address space to the public Internet.
For this example, let's use the private network 192.168.11.0. The relevant information would be:
- IP Address for our gateway: 192.168.11.1
- Netmask 255.255.255.0
- Default Gateway: 192.168.11.1 (Our gateway will be the default gateway for devices on the "non-ham" network).
- DNS Name Servers: Use the same DNS Name server IP Addresses given to you by your ISP.
Obtain an AMPRNet IPv4 Address Allocation and Register Your Gateway
Once you have your "static" IPv4 address from your ISP; you will need to go the AMPRNet Portal, request an AMPRNet subnet from a regional coordinator, and register your gateway.
For this example we will use a range of AMPRNet addresses that is reserved for testing and documentation.
Caution!!!: In order to make sure your AMPRNet gateway and subnet is reachable by others, you MUST obtain and use a production AMPRNet subnet!!!
- IP Address : 44.128.10.1
- Netmask : 255.255.255.0
- Default Gateway : 44.128.10.1
- DNS Name Servers : 8.8.8.8, 8.8.4.4 (I use Google's DNS Servers because my ISP doesn't allow queries from subnets other than their own)
Setting up the ISP (Internet) Interface
Configuring the interface
To configure the ISP Interface, type the following command to edit the file /etc/networking/interfaces:
sudo nano /etc/network/interfaces
Find the section that looks like this:
auto eth0
iface eth0 inet dhcp
Change it to look like the following (Remember to substitute the information you received from your ISP!!!):
auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
address 192.0.2.2
netmask 255.255.255.0
gateway 192.0.2.1
dns-nameservers 192.0.2.23 192.0.2.24
Double check that the information is correct then save the file by pressing CTRL-X and then Y to save the file.
To make the changes take effect, type the following commands:
sudo ifdown eth0
sudo ifup eth0
Testing
At this point you should be able to reach the Internet from the gateway (but not from "non-ham" or "ham" devices yet). To test, type the following command:
ping 8.8.8.8
You should see something like:
njohnsn@srv01:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=46 time=127 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=46 time=128 ms
64 bytes from 8.8.8.8: icmp_req=3 ttl=46 time=130 ms
Press CTRL-C to stop the program.
If you see something different, please check the following:
- That the correct network interface on the gateway system is connected to your ISP (cable or DSL modem).
- Double check the settings in the /etc/network/interfaces file.
Don't continue to the next steps until you are successfully able to get the gateway connected to the Internet.
Setting up the "Non-Ham" Network Interface
Now we need to configure things so that you can connect your "non-ham" devices to the Internet.
Configuring the Interface
Once again you will need to edit the file /etc/network/interfaces by type the following:
sudo nano /etc/network/interfaces
Find and edit or add the following section:
auto eth1
iface eth1 inet static
address 192.168.11.1
netmask 255.255.255.0
and execute the following commands:
sudo ifdown eth1
sudo ifup eth1
Setting up DHCP
DHCP stands for Dynamic Host Configuration Protocol and is used to assign IP addresses to hosts dynamically. To configure DHCP for our "non-ham" devices you will need to edit the file /etc/dhcp/dhcpd.conf.
sudo nano /etc/dhcp/dhcpd.conf
Uncomment (remove the # from the start of the line) the following line:
authoritative;
Add the following lines to the end of the file (Remember to substitute the address for your DNS Servers)
option domain-name "local";
option domain-name-servers 192.0.2.23, 192.0.2.24;
subnet 192.168.11.0 netmask 255.255.255.0 {
range 192.168.11.20 192.168.11.128;
option routers 192.168.11.1;
}
and save the file.
Next we will need to restart the DHCP server software by typing the following:
sudo service isc-dhcp-server restart
Enabling forwarding
Now, we will need to enable "forwarding" of traffic through the gateway. To do this we will need to edit the file /etc/sysctl.conf.
nano /etc/sysctl.conf
Find the following section and do what it recommends. It should end up looking like this:
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
Save the file and restart your gateway with sudo shutdown -r now.
Setting up the Firewall (Part 1)
Now will we need to setup the Firewall using iptables. The following articlegives a good overview of iptables. The firewall will serve two purposes:
- Allow your "non-ham' devices on private address space to access the Internet buy using NAT.
- Help protect your gateway and "non-ham" devices.
What is NAT?
NAT stands for Network Address Translation.
NAT is what is used in your typical home router or wireless Access Point (AP) to allow you to connect multiple devices to one Internet Service Provider (ISP) connection.
Basically NAT makes all your devices on your home network appear as one device to the ISP. It does this by keeping track of the data coming from each of your devices and makes sure that the return data from the Internet gets back to the right device.
Setting up NAT
Setting up NAT for our "non-ham" devices requires the following command: (Be sure to substitute your "static" IP address in the --to-source option)
sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.0.2.2
Protecting the Gateway
First, we need to define our default Firewall Policies:
- DROP all traffic headed for our gateway
- ACCEPT all traffic headed out from our gateway
- DROP all traffic to be forwarded between interfaces
To do this type the following commands:
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD DROP
Next we need to allow access to the "loopback" interface (The loopback interface is used internally by Linux on the gateway).
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -i lo -j ACCEPT
Next, we need to allow traffic back into the gateway from connections that were made by the gateway.
sudo iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Protecting the "Non-Ham" Network
Now we need to allow connections from the "non-ham" network to the Internet and allow the returning traffic from the Internet back to the "non-ham" network.
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Saving the firewall rules
To save our firewall rules so far, type the following commands.
sudo iptables-save > /etc/iptables/rules.v4
Testing
At this point you should be able to connect a "non-ham" device to the "non-ham" interface of your gateway, and be able to access the Internet.
Note: If you are using a home router or wireless access point, you will need to configure it for "bridging mode" in order to use it with your gateway. Check the documentation for your device to see how to do this.
Setting up the Local "Ham" Network (AMPRNet) Interface
Configuring the Interface
Once again you will need to edit the file /etc/network/interfaces by typing the following:
sudo nano /etc/network/interfaces
Find and edit or add the following section: NOTE: (Be sure to substitute your production AMPRNet subnet you obtained from your regional coordinator)
auto eth2
iface eth1 inet static
address 44.128.10.1
netmask 255.255.255.0
and execute the following commands:
sudo ifdown eth2
sudo ifup eth2
More DHCP
To configure DHCP for our "ham" devices you will need to edit the file /etc/dhcp/dhcpd.conf again.
sudo nano /etc/dhcp/dhcpd.conf
Add the following lines to the end of the file. NOTE: (Remember to substitute your production AMPRNet addresses for the ones in the example)
subnet 44.128.10.0 netmask 255.255.255.0 {
range 44.128.10.2 44.128.10.254;
option routers 44.128.10.1;
option domain-name-servers 8.8.8.8, 8.8.4.4;
}
Next we will need to restart the DHCP server software by typing the following:
sudo service isc-dhcp-server restart
Setting up the Tunnel and Routing to AMPRNet
Automating Gateway Updates with ampr-ripd
The easiest way to receive updates is by running ampr-ripd ampr-ripd is a C program that listens for updates from the AMPRNet gateway at UCSD and populates a routing table with the routes to all other gateways.
Getting, compiling, and installing ampr-ripd
To get ampr-ripd and install it, type the following
mkdir ampr-ripd
cd ampr-ripd
wget http://www.yo2loj.ro/hamprojects/ampr-ripd-1.11.tgz
tar -xzvf ampr-ripd-1.11.tgz
sudo make
sudo make install
Finding the password for ampr-ripd
By default the gateway updates are projected by a password. To find the password execute the following command after you have installed ampr-ripd
sudo ./find_pass.sh
After a short while you should see:
Waiting for RIPv2 broadcasts...
Simple password: <SecretPassword>
Simple password: <SecretPassword>
Simple password: <SecretPassword>
Simple password: <SecretPassword>
Simple password: <SecretPassword>
Simple password: <SecretPassword>
Simple password: <SecretPassword>
Simple password: <SecretPassword>
Simple password: <SecretPassword>
Write down the <SecretPassword> and press CTRL-C to stop the program.
Creating a startup script to connect to AMPRNet
The following text can be appended to the end of the /etc/rc.local file on your gateway to do the following:
- Configure the AMPRNet IPIP Tunnel
- Configure local routing
- Start ampr-ripd
First a note about netmask notation in the file
In the file below your "netmask" is represented differently than you may receive from your ISP.
In this case we are using CIDR notaton.
For example the netmask 255.255.255.0 is represented by the CIDR notation /24.
A good table of netmask to CIDR notation can be found here. (Courtesy of packetlife.net ).
To add the text edit the /etc/rc.local file by:
sudo nano /etc/rc.local
Here is the text to append to the file NOTE: Don't forget to substitute your IP addresses for for the ones in the file.
###
## Create AMPRNet Tunnel and routing
##
## Configure Tunnel (put your ISP you received from your ISP Here).
ip tunnel add ampr0 mode ipip local 192.0.2.2 ttl 255
## Bring it up
ip link set dev ampr0 up
## Enable Multicast in order to receive routes
ifconfig ampr0 multicast
## Configure Policy Based routing
# Packets to 44/8 network use routing table 44
ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here)
ip rule add from 44.128.10.0/24 table 44 priority 45
## Configure static routes
# Default route for table 44 is to send traffic to amprnet gateway at UCSD
ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet here)
ip route add 44.128.10.0/24 dev eth2 table 44
## Start ampr-ripd to learn rest of mesh routes
# Be sure to substitute the password you found earlier for <SecretPassword>
# Put your static IP you received from your ISP here.
ampr-ripd -s -i ampr0 -a 192.0.2.2 -t 44 -p <SecretPassword>
exit 0
Setting up the Firewall (Part 2)
Forwarding Traffic to "Ham" Devices
You will need to add the following iptables rules to allow traffic to and from your local AMPRNet subnet and the global AMPRNet and allow your "ham" devices to obtain IP addresses via DHCP.
sudo iptables -A INPUT -i eth2 -p udp -m udp --dport 67 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p ipencap -j ACCEPT
sudo iptables -A FORWARD -s 44.128.0.0/16 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A FORWARD -d 44.128.0.0/16 -j REJECT --reject-with icmp-port-unreachable
If you want to only allow AMPRNet traffic to and from your local AMPRNet net add the following rules:
sudo iptables -A FORWARD -i ampr0 -o eth2 -s 44.0.0.0/8 -j ACCEPT
sudo iptables -A FORWARD -i eth2 -o ampr0 -d 44.0.0.0/8 -j ACCEPT
Or you can let everything through by adding these rules instead:
Caution: This rule allows all traffic between the Global AMPRNet and your local AMPRNet subnet. Be sure you understand the security and legal implications of allowing this traffic, especially when sending traffic over RF!!
sudo iptables -A FORWARD -i ampr0 -o eth2 -j ACCEPT
sudo iptables -A FORWARD -i eth2 -o ampr0 -j ACCEPT
For ease of troubleshooting it's a good idea to log rejected packets with the following commands:
sudo iptables -A INPUT -j LOG
sudo iptables -A FORWARD -j LOG
Finally to save our firewall rules, type the following commands.
sudo iptables-save > /etc/iptables/rules.v4
Testing
At this point you should be able to connect "ham" devices to the "ham" network interface eth2 and be able to reach the internet.