Startampr: Difference between revisions
No edit summary |
|||
(29 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
'''startampr''' is a custom suite of [https://en.wikipedia.org/wiki/Bash_%28Unix_shell%29 Bourne Again Shell] scripts developed by KB3VWG and others in the [[44Net mailing list]] Community, that turns a Debian/Ubuntu-based Linux machine into an AMPR [[Gateway]] on boot; and starts an [https://en.wikipedia.org/wiki/IP_in_IP IPENCAP] (or [https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers IP Protocol] number four) tunnel. The primary advantage to using this suite is that it executes and enables AMPR RIP44 daemons, munge scripts, interfaces and routing commands in proper boot order; and references them using the command syntax, default command arguments and practices that have become the de facto standard on [[AMPRNet]]. It is also minimally invasive, in that the machine can be returned to an OEM Ubuntu installation by simply removing all associated files and uninstalling all packages added when configuring the machine to run '''startampr''' (please assist me in developing an uninstall script, if interested). '''The current versions are 1.0 (no longer developed), and 2.0 | '''startampr''' is a custom suite of [https://en.wikipedia.org/wiki/Bash_%28Unix_shell%29 Bourne Again Shell] scripts developed by KB3VWG and others in the [[44Net mailing list]] Community, that turns a Debian/Ubuntu-based Linux machine into an AMPR [[Gateway]] on boot; and starts an [https://en.wikipedia.org/wiki/IP_in_IP IPENCAP] (or [https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers IP Protocol] number four) tunnel. The primary advantage to using this suite is that it executes and enables AMPR RIP44 daemons, munge scripts, interfaces and routing commands in proper boot order; and references them using the command syntax, default command arguments and practices that have become the de facto standard on [[AMPRNet]]. It is also minimally invasive, in that the machine otherwise remains an "untouched" default installation; and can be returned to an OEM Ubuntu installation by simply removing all associated files and uninstalling all packages added when configuring the machine to run '''startampr''' (please assist me in developing an uninstall script, if interested). Also, if you install a server GUI (e.g. [http://www.webmin.com Webmin]), you can disable the routing features of the machine simply by checking a box, and hitting APPLY (on next reboot, it is disabled). '''The current versions are 1.0 (no longer developed), and 2.0, released to the [[44Net mailing list]] Community on May 26, 2017 at 14:14 UTC. | ||
== Detailed Summary == | == Detailed Summary == | ||
In addition to the first and main script, '''startampr''', other tools included with the official release are: init scripts to execute the file, save the routing table (if using a method that does not automatically save it); and an executable script generator (made using [http://linux.die.net/man/1/sed the sed command]) that can restore the AMPR routing table (i.e. in the case the administrator flushes the table). The script uses the [http://www.linuxfoundation.org/collaborate/workgroups/networking/tunneling ipip Linux Kernel module] and implements [http://linux.die.net/man/8/ip Linux ip] routing table's [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] to properly move traffic across the routing plane. It suggested that [https://en.wikipedia.org/wiki/Iptables iptables] be used to firewall traffic after verification of a proper installation. | In addition to the first and main script, '''startampr''', other tools included with the official release are: init scripts to execute the file, save the routing table (if using a method that does not automatically save it); and an executable script generator (made using [http://linux.die.net/man/1/sed the sed command]) that can restore the AMPR routing table (i.e. in the case the administrator flushes the table). The script uses the [http://www.linuxfoundation.org/collaborate/workgroups/networking/tunneling ipip Linux Kernel module] and implements [http://linux.die.net/man/8/ip Linux ip] routing table's [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] to properly move traffic across the routing plane. It is suggested that [https://en.wikipedia.org/wiki/Iptables iptables] be used to firewall traffic after verification of a proper installation. | ||
The official release uses [[rip44d]] as its [[RIP]]44 protocol daemon; but [[ampr-ripd]] or [[Encap.txt]] with a [[munge script]] may be used (instructions by KB9MWR use ampr-ripd). '''To operate a [[Gateway]] on [[AMPRNet]], you must have a method of obtaining up-to-date route information. | The official release uses [[rip44d]] as its [[RIP]]44 protocol daemon; but [[ampr-ripd]] or [[Encap.txt]] with a [[munge script]] may be used (instructions by KB9MWR use ampr-ripd). '''To operate a [[Gateway]] on [[AMPRNet]], you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol, named [[RIP]]44 is used. [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] is not the same as [[RIP]]44.''' rip44d is written in the Perl programming language by Heikki Hannikainen, OH7LZB. [[ampr-ripd]] is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. The developer choose rip44d simply because it was the only daemon available when version 1.0 was developed. The use of any method to add route information to table 44 will work. It should be noted that: '''startampr''' was developed around '''rip44d'''; and improves on features not included (e.g. reload of routing table upon reboot). The scripts to backup/restore are not needed when using [[ampr-ripd]] (but can be developed to provide geographically-local tertiary sources of the AMPR routing table). | ||
'''NOTE: if you do not wish to compile software, you must use [[rip44d]] or [[Encap.txt]] with a [[munge script]].''' | '''NOTE: if you do not wish to compile software, you must use [[rip44d]] or [[Encap.txt]] with a [[munge script]].''' | ||
== 2.0 Security Update == | == 2.0 Security Update == | ||
'''startampr 2.0's code includes a security fix that corrects a routing issue that allows unencapsulated traffic from the tunnel to leak onto the LAN or Public Internet interface in version 1.0 - this only occurs when a AMPRNnet-facing user attempts to connect using invalid source IPs or invalid AMPRNet IP address'''. In original development of version 1.0, it was considered that this behavior could be valid to reach subnets ran by operators using the option at: [[Announcing your allocation directly]]; '''but do not make their tunnel available on a non-44.0.0.0/8 address'''. | '''startampr 2.0's code includes a security fix that corrects a routing issue that allows unencapsulated traffic from the tunnel to leak onto the LAN or Public Internet interface in version 1.0 - this only occurs when a AMPRNnet-facing user attempts to connect using invalid source IPs or invalid AMPRNet IP address'''. In original development of version 1.0, it was considered that this behavior could be valid to reach subnets ran by operators using the option at: [[Announcing your allocation directly]]; '''but do not make their tunnel available on a non-44.0.0.0/8 address''' (it was announced on the [[44Net mailing list]] on 04AUG2015, that AMPRGW now routes traffic to/from BGPed and IPENCAPed AMPR subnets, making this programmatic workaround unnecessary). | ||
It is a generally accepted practice on the Internet that network operators source filter their traffic, making BGPed subnets an exception for AMPRNet Gateways (see [https://tools.ietf.org/html/rfc3013 RFC3013, section 4.3 and 4.4]). It is also accepted AMPRNet practice that these operators consider running a tunneled Gateway on any non-AMPRNet IP available for accessibility to/from those running IPENCAP Gateways. It may be useful to also have redundant VLANs on two or more interfaces possessing the same Public IP at two or more borders; and run a script between the AMPR Gateways - using [https://en.wikipedia.org/wiki/Dynamic_DNS Dynamic DNS] to synchronize them, verify if connectivity goes down on either device's tunl0 interface and update the [[Portal]] accordingly. | It is a generally accepted practice on the Internet that network operators source filter their traffic, making BGPed subnets an exception for AMPRNet Gateways (see [https://tools.ietf.org/html/rfc3013 RFC3013, section 4.3 and 4.4]). It is also accepted AMPRNet practice that these operators consider running a tunneled Gateway on any non-AMPRNet IP available for accessibility to/from those running IPENCAP Gateways. It may be useful to also have redundant VLANs on two or more interfaces possessing the same Public IP at two or more borders; and run a script between the AMPR Gateways - using [https://en.wikipedia.org/wiki/Dynamic_DNS Dynamic DNS] to synchronize them, verify if connectivity goes down on either device's tunl0 interface and update the [[Portal]] accordingly. | ||
Line 19: | Line 18: | ||
I'm happy and willing to work with any BGP subnet operator who wishes to develop a script to establish an AMPR Gateway for your multi-homed AMPRNet BGPed subnet. | I'm happy and willing to work with any BGP subnet operator who wishes to develop a script to establish an AMPR Gateway for your multi-homed AMPRNet BGPed subnet. | ||
= Requirements = | = Requirements, Installation Overview and Features = | ||
# You'll need a Linux computer, which has been added in the Gateways file using the [[Portal]], so that it is known as an | # You'll need a Linux computer, which has been added in the Gateways file using the [[Portal]], so that it is known as an AMPRnet Gateway; and will receive RIP44 updates from the main [[Gateway]]. It will take some time before Amprgw will learn about new gateways. | ||
# The instructions below are currently only for Debian/Ubuntu, but there's nothing Debian-specific - it should work fine on other distributions (if the correct packages used (e.g. wget/curl, The Bourne Again Shell/BASH, sed, ip, chmod, PERL, etc.) Interface names, file and folder locations, file permissions, etc. are edited. | # The instructions below are currently only for Debian/Ubuntu, but there's nothing Debian-specific - it should work fine on other distributions (if the correct packages used (e.g. wget/curl, The Bourne Again Shell/BASH, sed, ip, chmod, PERL, etc.) Interface names, file and folder locations, file permissions, etc. are edited. | ||
You must first properly install: | You must first properly install: | ||
* the operating system and network interfaces | * the operating system and network interfaces | ||
* then properly install '''startampr''' to enable the tunnel. '''The tunnel interface must be operational and in 'UP' status before proceeding.''' | * then properly install '''startampr''' at '''/usr/local/sbin''' to enable the tunnel. '''The tunnel interface must be operational and in 'UP' status before proceeding.''' | ||
* the [[RIP]]44 daemon which receives periodic routing table updates from the [[AMPRNet]] routing service, and inserts them in the Linux routing table of your choice (most users use table 44; and the scripts use this value as well). '''You must verify that you are receiving route information before proceeding.''' | * the [[RIP]]44 daemon ([[rip44d]] uses the location '''/usrlocal/sbin/''') which receives periodic routing table updates from the [[AMPRNet]] routing service, and inserts them in the Linux routing table of your choice (most users use table 44; and the scripts use this value as well). '''You must verify that you are receiving route information before proceeding.''' | ||
* boot script to '''/etc/init/''' | * boot script for '''startampr''', to '''/etc/init/''' | ||
* (Optional) a script to restore the routing table | * (Optional) a script to backup the routing table and create a corresponding restore script, at '''/etc/cron.hourly/''' | ||
* (Optional) a script to restore the AMPRNet routing table on boot, at '''/etc/if-ip.d/''' | |||
= Installation of startampr = | = Installation of startampr = | ||
Line 55: | Line 55: | ||
recommended: | recommended: | ||
sudo apt-get install traceroute | sudo apt-get install traceroute openssh-server ipset | ||
= Installation of dependencies on other distributions = | = Installation of dependencies on other distributions = | ||
Line 62: | Line 61: | ||
Other distributions should have an easy way to install the required packages too (using yum or a similar program). Please fill in details here, if you know them. | Other distributions should have an easy way to install the required packages too (using yum or a similar program). Please fill in details here, if you know them. | ||
= Script = | |||
#!/bin/bash | |||
############################################################# | |||
###STARTAMPR v2.0 May 26, 2017### | |||
### | |||
### TO DO - Have the AMPRNet Community test and verify | |||
### | |||
### CHANGELOG | |||
### | |||
### v2.0 RC4 | |||
### - Dialogue about how to add routes and rules for any created test subnet(s). | |||
### | |||
### v2.0 RC3 | |||
### - Exclusively seperates route and tables, as well as priotities by: class and type | |||
### - This makes unnecessary the exclusion of local subnets in ampr-ripd using the '-a' switch, | |||
### by adding local 44 network(s) to a higher priority routing table | |||
### - This should enable you can to become a tunnel GW for BGPed 44/8 subnets | |||
### - Provides table 7777 as a BLACKHOLE/NULL Route | |||
### - Adds script to load last hourly backup of table 44 on boot | |||
### - With script backup_ampr, creates a backup of the routing table a file named table44_bak | |||
### and an executable restore44sh hourly to use on the running machine to | |||
### restore table 44 if the table needs to be flushed during uptime | |||
### | |||
### v2.0 | |||
### - Streamlined commands and routes | |||
### - Placed syntax for Debian/Ubuntu and OpenWRT/LEDE devices | |||
############################################################# | |||
## This script was developed by KB3VWG on a standard | |||
## Ubuntu 16.04.2 LTS PC eth0 configured to the Public facing | |||
## LAN and eth1 to the 44LAN. It is designed to enable an | |||
## AMPR Router using the ampr-ripd v2.0, the standard ampr-ripd, | |||
## using the -t switch to add routes to routing table '44' | |||
## with no further configuration needed (firewall optional) | |||
############################################################## | |||
################################################################## | |||
## This script was modified by LX1DUC to automate even more tasks. | |||
################################################################## | |||
################################################################## | |||
## Thanks to PE1CHL for discovering the need for policy-based routing | |||
## Thanks to KI4SZJ for testing v2.0 | |||
################################################################## | |||
### ENABLE IP FORWARDING ### | |||
sysctl -w net.ipv4.ip_forward=1 | |||
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ## | |||
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr | |||
################### AMPRNet IPENCAP UBUNTU SYNTAX ####################### | |||
# modprobe ipip | |||
# ip tunnel add tunl0 mode ipip | |||
###NUMBER tunl0 with a /32 from your allocation | |||
###(you may reuse this IP on an Ethernet interface | |||
# ip addr add <IP from your 44>/32 dev tunl0 | |||
# ip link set tunl0 mtu 1480 up | |||
# ip tunnel change tunl0 ttl 64 tos inherit pmtudisc | |||
################### AMPRNet IPENCAP OpenWRT/LEDE SYNTAX ####################### | |||
# ip tunnel add tunl0 | |||
# ip tunnel change tunl0 mode ipip ttl 64 tos inherit pmtudisc | |||
###(you may reuse this IP on an Ethernet interface | |||
# ip addr add <IP from your 44>/32 dev tunl0 | |||
# ip link set tunl0 mtu 1480 up | |||
################### OPTIONAL - DEFAULT ROUTE FOR INTERNET ACCESS ####################### | |||
ip route add default dev tunl0 via <AMPRGW_IP> onlink proto 44 table 44 | |||
################### POLICY-BADED ROUTING ####################### | |||
###OPTIONAL LOCAL RULES | |||
ip rule add from <CIDR_44_allocation> to <LAN e.g. 192.168.1.0/24> table main priority 22 | |||
#REQUIRED RULES | |||
ip rule add to <CIDR_44_allocation> table main priority 44 | |||
ip rule add dev tunl0 table 44 priority 45 | |||
ip rule add dev <interface_for_44LAN> table 44 priority 46 | |||
ip rule add from <CIDR_44_allocation> table 44 priority 47 | |||
###SOME OF THIS MAY BE NEEDED TO RUN ampr-ripd from another folder than the compile option | |||
###make sure you create the correct save and working folders, etc if you cant recompile ampr-ripd | |||
# This directory is not persistent on OpenWRT/LEDE, it must be made on boot for dynamic filtering | |||
# mkdir /var/lib/ampr-ripd | |||
# Create a blank bootstrap file at /etc/config/encap.txt for this to work | |||
# ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt | |||
# cd /usr/local/sbin | |||
################### RUN AMPR-RIPD | |||
################### WITH DYNAMIC FIREWALL SCRIPT USING -x | |||
################### see http://wiki.ampr.org/wiki/Firewalls for dynamic script | |||
./ampr-ripd-2.0.x64_Ubuntu16 -i <tunl_interface> -t 44 -a <CIDR_44_allocation> -s -x '/etc/config/load_ipipfilter.sh' -L <CALLSIGN>@<GRID_SQUARE> & | |||
= Notes = | = Notes = | ||
Line 67: | Line 155: | ||
* '''startampr documentation uses tunl0 as the tunnel interface (it is the default on RIP44 daemons) and table 44 for those routes. Use the -i <if> and -t <ip table> option to change to another. The command arguments differ between [[rip44d]] and [[ampr-ripd]]. startampr uses rip44d. See the documentation for the RIP44 programs if decide to use custom interfaces, tables or switch to a routing daemon other than [[rip44d]].''' | * '''startampr documentation uses tunl0 as the tunnel interface (it is the default on RIP44 daemons) and table 44 for those routes. Use the -i <if> and -t <ip table> option to change to another. The command arguments differ between [[rip44d]] and [[ampr-ripd]]. startampr uses rip44d. See the documentation for the RIP44 programs if decide to use custom interfaces, tables or switch to a routing daemon other than [[rip44d]].''' | ||
* '''The script places the routing daemon at /usr/local/sbin/rip44d_<version number> (this assists in preventing inadvertent running of RIP44 Protocol before you have configured startampr. | * '''The script places the routing daemon at /usr/local/sbin/rip44d_<version number> (this assists in preventing inadvertent running of RIP44 Protocol before you have configured startampr. | ||
* '''The routing rules do not account for rogue traffic containing both an invalid source and destination IP (which the security of the [[Portal]] generally prevents). Use iptables to DROP forwarding of all traffic entering tunl0 not matching a source or destination of | * '''The routing rules do not account for rogue traffic containing both an invalid source and destination IP (which the security of the [[Portal]] generally prevents). Use iptables to DROP forwarding of all traffic entering tunl0 not matching a source or destination of in your allocated subnet(s). This can be done by adding adding rules to drop forwarding, by default, packets not possessing correct source and destination IPs in the range of 44.0.0.0/8, etc.''' | ||
* The -a <IP in [[Portal]]> is used to remove your routes from the table (which is incorrect, as they are local). '''startampr''' places your local routes in a higher routing table, eliminating the need to use the -a argument. This is a good feature for those who are assigned a dynamic IP address from their Internet Service Provider. | * The -a <IP in [[Portal]]> is used to remove your routes from the table (which is incorrect, as they are local). '''startampr''' places your local routes in a higher routing table, eliminating the need to use the -a argument. This is a good feature for those who are assigned a dynamic IP address from their Internet Service Provider. | ||
* The tunnel interface must be up and configured before '''rip44d''' starts up. '''startampr''' places this command in the proper location. | * The tunnel interface must be up and configured before '''rip44d''' starts up. '''startampr''' places this command in the proper location. | ||
Line 73: | Line 161: | ||
* The '''startampr''' backup script '''/etc/cron.hourly/backup_ampr''' is added to a folder that is configured in Ubuntu, by default, to run scripts at :17 after the hour. The Main AMPR Gateway sends an update every five minutes. For advanced instructions on changing this time interval, see [https://help.ubuntu.com/community/CronHowto the Ubuntu Community cron HowTo]. | * The '''startampr''' backup script '''/etc/cron.hourly/backup_ampr''' is added to a folder that is configured in Ubuntu, by default, to run scripts at :17 after the hour. The Main AMPR Gateway sends an update every five minutes. For advanced instructions on changing this time interval, see [https://help.ubuntu.com/community/CronHowto the Ubuntu Community cron HowTo]. | ||
* A strict assortment of: file permissions, naming conventions and leading characters (e.g. '''"#!/bin/bash"''') are required in '''/etc/init/''', '''/etc/if-up.d/''' (used in a script to reload table 44 on boot) and '''/etc/cron.hourly/'''. Note that: '''startampr''' has properly named those files. If you wish to edit them, please follow the documentation and README for more details. | * A strict assortment of: file permissions, naming conventions and leading characters (e.g. '''"#!/bin/bash"''') are required in '''/etc/init/''', '''/etc/if-up.d/''' (used in a script to reload table 44 on boot) and '''/etc/cron.hourly/'''. Note that: '''startampr''' has properly named those files. If you wish to edit them, please follow the documentation and README for more details. | ||
* '''Please note that: any machine acting as an AMPRNet Gateway must explicitly create high-priority routing rules for all traffic addressed to or from eth0. The network assigned to eth0 must be configured to ONLY use table main.''' No other valid configuration has been found to properly work (discovered by PE1CHL and tested by KB3VWG and others in the [[44Net mailing list]] Community). '''This is due to the unique fact that, on AMPRNet routers, 44.0.0.0/8 exists on both the Public (eth0) and AMPRNet-facing (tunl0) sides of the device. There is no way to properly differentiate the route or destination interface of the traffic received from 44.0.0.0/8 over tunl0 (with your 44Router's 44 IP address), versus that from eth0 (on the Gateway's Public-facing IP). Meaning, there is no way to route traffic for all cases, except by SOURCE OR DESTINATION IP ADDRESS. Therefore, ALL traffic to and from the network facing eth0, must use eth0.''' In order to access your AMPRNet from a local network, you must create another routable LAN (and add TO rules, e.g. ip route add to 172.55.0.0/24 table main priority - and masquerade accordingly if configured to reach all of AMPRNet), or simply connect directly to an AMPR-facing interface. The rule to only use the main table for the eth0 network allows the AMPRNet Gateway to reach 44 hosts on the Public Internet, leaving the operator to provide all routing rules for AMPR-facing interfaces, which is the intent of '''startampr'''. | |||
= Support, bug reports and improvements = | = Support, bug reports and improvements = | ||
Line 93: | Line 182: | ||
= Links = | = Links = | ||
* [http://www.qsl.net/kb9mwr/wapr/tcpip/ | * [http://www.qsl.net/kb9mwr/wapr/tcpip/ampr-ripd.html Alternative installation instructions by KB9MWR] | ||
* [http://marc.storck.lu/blog/2013/08/howto-setup-an-amprnet-gateway-on-linux/ Alternative installation instructions by Marc, LX1DUC] | * [http://marc.storck.lu/blog/2013/08/howto-setup-an-amprnet-gateway-on-linux/ Alternative installation instructions by Marc, LX1DUC] | ||
* [(link to KB3VWG's site here) Detailed Readme and Installation instructions by KB3VWG] | * [(link to KB3VWG's site here) Detailed Readme and Installation instructions by KB3VWG] |
Latest revision as of 11:46, 25 July 2019
startampr is a custom suite of Bourne Again Shell scripts developed by KB3VWG and others in the 44Net mailing list Community, that turns a Debian/Ubuntu-based Linux machine into an AMPR Gateway on boot; and starts an IPENCAP (or IP Protocol number four) tunnel. The primary advantage to using this suite is that it executes and enables AMPR RIP44 daemons, munge scripts, interfaces and routing commands in proper boot order; and references them using the command syntax, default command arguments and practices that have become the de facto standard on AMPRNet. It is also minimally invasive, in that the machine otherwise remains an "untouched" default installation; and can be returned to an OEM Ubuntu installation by simply removing all associated files and uninstalling all packages added when configuring the machine to run startampr (please assist me in developing an uninstall script, if interested). Also, if you install a server GUI (e.g. Webmin), you can disable the routing features of the machine simply by checking a box, and hitting APPLY (on next reboot, it is disabled). The current versions are 1.0 (no longer developed), and 2.0, released to the 44Net mailing list Community on May 26, 2017 at 14:14 UTC.
Detailed Summary
In addition to the first and main script, startampr, other tools included with the official release are: init scripts to execute the file, save the routing table (if using a method that does not automatically save it); and an executable script generator (made using the sed command) that can restore the AMPR routing table (i.e. in the case the administrator flushes the table). The script uses the ipip Linux Kernel module and implements Linux ip routing table's policy-based routing to properly move traffic across the routing plane. It is suggested that iptables be used to firewall traffic after verification of a proper installation.
The official release uses rip44d as its RIP44 protocol daemon; but ampr-ripd or Encap.txt with a munge script may be used (instructions by KB9MWR use ampr-ripd). To operate a Gateway on AMPRNet, you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of RIP version 2 protocol, named RIP44 is used. RIP version 2 is not the same as RIP44. rip44d is written in the Perl programming language by Heikki Hannikainen, OH7LZB. ampr-ripd is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. The developer choose rip44d simply because it was the only daemon available when version 1.0 was developed. The use of any method to add route information to table 44 will work. It should be noted that: startampr was developed around rip44d; and improves on features not included (e.g. reload of routing table upon reboot). The scripts to backup/restore are not needed when using ampr-ripd (but can be developed to provide geographically-local tertiary sources of the AMPR routing table).
NOTE: if you do not wish to compile software, you must use rip44d or Encap.txt with a munge script.
2.0 Security Update
startampr 2.0's code includes a security fix that corrects a routing issue that allows unencapsulated traffic from the tunnel to leak onto the LAN or Public Internet interface in version 1.0 - this only occurs when a AMPRNnet-facing user attempts to connect using invalid source IPs or invalid AMPRNet IP address. In original development of version 1.0, it was considered that this behavior could be valid to reach subnets ran by operators using the option at: Announcing your allocation directly; but do not make their tunnel available on a non-44.0.0.0/8 address (it was announced on the 44Net mailing list on 04AUG2015, that AMPRGW now routes traffic to/from BGPed and IPENCAPed AMPR subnets, making this programmatic workaround unnecessary).
It is a generally accepted practice on the Internet that network operators source filter their traffic, making BGPed subnets an exception for AMPRNet Gateways (see RFC3013, section 4.3 and 4.4). It is also accepted AMPRNet practice that these operators consider running a tunneled Gateway on any non-AMPRNet IP available for accessibility to/from those running IPENCAP Gateways. It may be useful to also have redundant VLANs on two or more interfaces possessing the same Public IP at two or more borders; and run a script between the AMPR Gateways - using Dynamic DNS to synchronize them, verify if connectivity goes down on either device's tunl0 interface and update the Portal accordingly.
I'm happy and willing to work with any BGP subnet operator who wishes to develop a script to establish an AMPR Gateway for your multi-homed AMPRNet BGPed subnet.
Requirements, Installation Overview and Features
- You'll need a Linux computer, which has been added in the Gateways file using the Portal, so that it is known as an AMPRnet Gateway; and will receive RIP44 updates from the main Gateway. It will take some time before Amprgw will learn about new gateways.
- The instructions below are currently only for Debian/Ubuntu, but there's nothing Debian-specific - it should work fine on other distributions (if the correct packages used (e.g. wget/curl, The Bourne Again Shell/BASH, sed, ip, chmod, PERL, etc.) Interface names, file and folder locations, file permissions, etc. are edited.
You must first properly install:
- the operating system and network interfaces
- then properly install startampr at /usr/local/sbin to enable the tunnel. The tunnel interface must be operational and in 'UP' status before proceeding.
- the RIP44 daemon (rip44d uses the location /usrlocal/sbin/) which receives periodic routing table updates from the AMPRNet routing service, and inserts them in the Linux routing table of your choice (most users use table 44; and the scripts use this value as well). You must verify that you are receiving route information before proceeding.
- boot script for startampr, to /etc/init/
- (Optional) a script to backup the routing table and create a corresponding restore script, at /etc/cron.hourly/
- (Optional) a script to restore the AMPRNet routing table on boot, at /etc/if-ip.d/
Installation of startampr
Install the the script to /usr/local/sbin and sudo chmod ug+x /usr/local/sbin/startampr
After obtaining the correct password from the route announcement and entering it into the properly configured script, install the boot and interface-up scripts (sample init scripts provided).
The additional script /etc/cron.hourly/backup_ampr creates an hourly backup of the AMPR routing table, located in two files at /usr/local/sbin:
- /usr/local/sbin/table44_bak - It is a text file that contains a copy of output from the command: 'ip route get table 44'
- /usr/local/sbin/restore44sh - It contains a copy of table44_bak with the command "ip route add table 44 " appended to each line. backup_ampr gives this file executable permissions to user:root and group:root. Execute this file using the command: sudo ./usr/local/sbin/restore44sh to restore your routing table if the need ever occurs.
You can verify the backup is running by issuing the command: ls -l /usr/local/sbin/restore44sh and ls -l /usr/local/sbin/table44_bak If the machine has been up, the files should be no more than an hour old.
That should be all. Really. The downside of this configuration is that it will take up to 5 minutes for the gateway to receive a routing update and become operational after a reboot. The additional scripts provided store the current routing table in a local file hourly and load it from there when starting up. Thereafter, after every hour of uptime your routing table is backed up at :17 on the hour. This backup can be used if you ever need to execute the ip command to flush table 44.
Installation of dependencies on Debian/Ubuntu
If you use rip44d, install perl, and IO::Socket::Multicast, a Perl module used for receiving the RIP multicast packets
sudo apt-get install perl libio-socket-multicast-perl libio-interface-perl
recommended:
sudo apt-get install traceroute openssh-server ipset
Installation of dependencies on other distributions
Other distributions should have an easy way to install the required packages too (using yum or a similar program). Please fill in details here, if you know them.
Script
#!/bin/bash ############################################################# ###STARTAMPR v2.0 May 26, 2017### ### ### TO DO - Have the AMPRNet Community test and verify ### ### CHANGELOG ### ### v2.0 RC4 ### - Dialogue about how to add routes and rules for any created test subnet(s). ### ### v2.0 RC3 ### - Exclusively seperates route and tables, as well as priotities by: class and type ### - This makes unnecessary the exclusion of local subnets in ampr-ripd using the '-a' switch, ### by adding local 44 network(s) to a higher priority routing table ### - This should enable you can to become a tunnel GW for BGPed 44/8 subnets ### - Provides table 7777 as a BLACKHOLE/NULL Route ### - Adds script to load last hourly backup of table 44 on boot ### - With script backup_ampr, creates a backup of the routing table a file named table44_bak ### and an executable restore44sh hourly to use on the running machine to ### restore table 44 if the table needs to be flushed during uptime ### ### v2.0 ### - Streamlined commands and routes ### - Placed syntax for Debian/Ubuntu and OpenWRT/LEDE devices ############################################################# ## This script was developed by KB3VWG on a standard ## Ubuntu 16.04.2 LTS PC eth0 configured to the Public facing ## LAN and eth1 to the 44LAN. It is designed to enable an ## AMPR Router using the ampr-ripd v2.0, the standard ampr-ripd, ## using the -t switch to add routes to routing table '44' ## with no further configuration needed (firewall optional) ############################################################## ################################################################## ## This script was modified by LX1DUC to automate even more tasks. ################################################################## ################################################################## ## Thanks to PE1CHL for discovering the need for policy-based routing ## Thanks to KI4SZJ for testing v2.0 ################################################################## ### ENABLE IP FORWARDING ### sysctl -w net.ipv4.ip_forward=1 ## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ## echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr ################### AMPRNet IPENCAP UBUNTU SYNTAX ####################### # modprobe ipip # ip tunnel add tunl0 mode ipip ###NUMBER tunl0 with a /32 from your allocation ###(you may reuse this IP on an Ethernet interface # ip addr add <IP from your 44>/32 dev tunl0 # ip link set tunl0 mtu 1480 up # ip tunnel change tunl0 ttl 64 tos inherit pmtudisc ################### AMPRNet IPENCAP OpenWRT/LEDE SYNTAX ####################### # ip tunnel add tunl0 # ip tunnel change tunl0 mode ipip ttl 64 tos inherit pmtudisc ###(you may reuse this IP on an Ethernet interface # ip addr add <IP from your 44>/32 dev tunl0 # ip link set tunl0 mtu 1480 up ################### OPTIONAL - DEFAULT ROUTE FOR INTERNET ACCESS ####################### ip route add default dev tunl0 via <AMPRGW_IP> onlink proto 44 table 44 ################### POLICY-BADED ROUTING ####################### ###OPTIONAL LOCAL RULES ip rule add from <CIDR_44_allocation> to <LAN e.g. 192.168.1.0/24> table main priority 22 #REQUIRED RULES ip rule add to <CIDR_44_allocation> table main priority 44 ip rule add dev tunl0 table 44 priority 45 ip rule add dev <interface_for_44LAN> table 44 priority 46 ip rule add from <CIDR_44_allocation> table 44 priority 47 ###SOME OF THIS MAY BE NEEDED TO RUN ampr-ripd from another folder than the compile option ###make sure you create the correct save and working folders, etc if you cant recompile ampr-ripd # This directory is not persistent on OpenWRT/LEDE, it must be made on boot for dynamic filtering # mkdir /var/lib/ampr-ripd # Create a blank bootstrap file at /etc/config/encap.txt for this to work # ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt # cd /usr/local/sbin ################### RUN AMPR-RIPD ################### WITH DYNAMIC FIREWALL SCRIPT USING -x ################### see http://wiki.ampr.org/wiki/Firewalls for dynamic script ./ampr-ripd-2.0.x64_Ubuntu16 -i <tunl_interface> -t 44 -a <CIDR_44_allocation> -s -x '/etc/config/load_ipipfilter.sh' -L <CALLSIGN>@<GRID_SQUARE> &
Notes
- startampr documentation uses tunl0 as the tunnel interface (it is the default on RIP44 daemons) and table 44 for those routes. Use the -i <if> and -t <ip table> option to change to another. The command arguments differ between rip44d and ampr-ripd. startampr uses rip44d. See the documentation for the RIP44 programs if decide to use custom interfaces, tables or switch to a routing daemon other than rip44d.
- The script places the routing daemon at /usr/local/sbin/rip44d_<version number> (this assists in preventing inadvertent running of RIP44 Protocol before you have configured startampr.
- The routing rules do not account for rogue traffic containing both an invalid source and destination IP (which the security of the Portal generally prevents). Use iptables to DROP forwarding of all traffic entering tunl0 not matching a source or destination of in your allocated subnet(s). This can be done by adding adding rules to drop forwarding, by default, packets not possessing correct source and destination IPs in the range of 44.0.0.0/8, etc.
- The -a <IP in Portal> is used to remove your routes from the table (which is incorrect, as they are local). startampr places your local routes in a higher routing table, eliminating the need to use the -a argument. This is a good feature for those who are assigned a dynamic IP address from their Internet Service Provider.
- The tunnel interface must be up and configured before rip44d starts up. startampr places this command in the proper location.
- rip44d automatically adds an AMPR route to the Main AMPRNet Gateway on table 44
- The startampr backup script /etc/cron.hourly/backup_ampr is added to a folder that is configured in Ubuntu, by default, to run scripts at :17 after the hour. The Main AMPR Gateway sends an update every five minutes. For advanced instructions on changing this time interval, see the Ubuntu Community cron HowTo.
- A strict assortment of: file permissions, naming conventions and leading characters (e.g. "#!/bin/bash") are required in /etc/init/, /etc/if-up.d/ (used in a script to reload table 44 on boot) and /etc/cron.hourly/. Note that: startampr has properly named those files. If you wish to edit them, please follow the documentation and README for more details.
- Please note that: any machine acting as an AMPRNet Gateway must explicitly create high-priority routing rules for all traffic addressed to or from eth0. The network assigned to eth0 must be configured to ONLY use table main. No other valid configuration has been found to properly work (discovered by PE1CHL and tested by KB3VWG and others in the 44Net mailing list Community). This is due to the unique fact that, on AMPRNet routers, 44.0.0.0/8 exists on both the Public (eth0) and AMPRNet-facing (tunl0) sides of the device. There is no way to properly differentiate the route or destination interface of the traffic received from 44.0.0.0/8 over tunl0 (with your 44Router's 44 IP address), versus that from eth0 (on the Gateway's Public-facing IP). Meaning, there is no way to route traffic for all cases, except by SOURCE OR DESTINATION IP ADDRESS. Therefore, ALL traffic to and from the network facing eth0, must use eth0. In order to access your AMPRNet from a local network, you must create another routable LAN (and add TO rules, e.g. ip route add to 172.55.0.0/24 table main priority - and masquerade accordingly if configured to reach all of AMPRNet), or simply connect directly to an AMPR-facing interface. The rule to only use the main table for the eth0 network allows the AMPRNet Gateway to reach 44 hosts on the Public Internet, leaving the operator to provide all routing rules for AMPR-facing interfaces, which is the intent of startampr.
Support, bug reports and improvements
If you have questions to ask about the usage of this script, please contact the 44Net mailing list.
If you have improvements to the script and wish to submit a patch, please contact KB3VWG on the 44Net mailing list, or via contact details in the Portal. Thank you!
The daemon was written by Lynwood, KB3VWG, and with major contributions from PE1CHL (for implementation of policy-based IP routing), Heikki Hannikainen, OH7LZB (to version 1.0's integration with rip44d), and Marc, LX1DUC (to automate enabling of IP forwarding).
See also
Links
- Alternative installation instructions by KB9MWR
- Alternative installation instructions by Marc, LX1DUC
- [(link to KB3VWG's site here) Detailed Readme and Installation instructions by KB3VWG]