Filename: HOWTO_Set_Up_an_AMPRnet_Gateway.txt

Revised: 24-Jan-2012 at 1915 by Michael Fox, N6MEF

This document is intended to be a quick, cheat-sheet or checklist of what to do when setting up a AMPR.ORG gateway. It is intended to act as a reminder to even experienced sysops to insure that the node is created consistent with the county standard. Consult Linux or JNOS documentation for more details on how to perform various functions. These instructions describe a gateway that uses Linux to perform the IP/IP encapsulation used for AMPRnet routing. This approach has the following advantages over having JNOS perform the gateway function:

** Routes can be updated from the encap.txt table without restarting

JNOS

** IPtables can be used to more granularly filter traffic

These instructions use a static routing method which is updated nightly.

The advantage of this method is that if the main AMPRnet gateway is down, the existing tunnel routes will remain. This allows for the possibility that the local internet connection is up and connectivity to other AMPRnet sites is available, but connectivity to the AMPRnet gateway is disrupted. An alternative option would be to use the rip44d daemon to accept dynamic updates from the main AMPRnet gateway - amprgw.

This allows for more dynamic updates, but relies on the reachability of

one single host - amprgw.

Step One: RTFM! Read the Instructions

---------------------------------------

Go to: www.ampr-gateways.org

Read the entire website, including the FAQ and the "newgate.ps" file on the FAQ page. (Read it with Adobe Acrobat). Also read the "Gateway Robot Updates" section. It is not a lot of info and it does not provide any specifics for JNOS. But it does provide important general background information about what the gateways do and how to make your gateway entry.

Also, go to: wiki.ampr-gateways.org

This is a new wiki that was created in Oct. 2011. As of this writing, it is not know just how much will be there. But read it entirely.

 


Selecting the Gateway Machine


The gateway machine for an individual JNOS system can be the same machine as the JNOS system and may be up or down at the owner's discretion. The gateway machine for a network of JNOS systems should operate 24x7 and should have a full-time, reliable Internet connection.

Gateways will receive additional Internet exposure, so they should be vary carefully secured with an adequate firewall as well as the usual host-oriented protections.

 


Configure/Verify DNS in Linux and JNOS


Make sure both Linux and JNOS are configured for DNS. It is important that the DNS service is fast and reliable. It is usually convenient for the AMPRnet gateway to also be a DNS server -- at least a forwarding DNS.

A separate HOWTO is available for setting up DNS.

Check the linux configuration to verify that DNS service is properly configured. Check the JNOS configuration to verify that at least one (preferably more than one) DNS server has been defined.

Make sure DNS is working in both Linux and JNOS by pinging known systems that are not in your local /etc/hosts file (for Linux) or $JNOS_DIR/domain.txt file (for JNOS).

Example: "ping google.com" from both linux and the JNOS console.

If this works from linux but not from JNOS, then JNOS needs to be configured with a DNS server using "domain addserver".

Do not bother to continue until this is working.

 


Establish DNS Entries for Gateway Addresses


Although not required, the gateway should be listed in DNS to make it more user friendly. People will have a difficult time remembering obscure IP addresses. Ideally, both the "A" (address) record (maps hostname to = address) and the PTR (pointer) record (maps address to hostname) should be configured.

This allows other gateway operators to more easily identify your machine and helps to eliminate user error associated with typing in IP addresses.

If your gateway will also be an SMTP gateway, then the DNS records need to be there anyway or else other SMTP MTAs (message transfer agents) will not speak to it.

DNS needs to be set up in two places:

First, the AMPRnet addresses (44.x.y.z) entries need to be submitted to the AMPR.ORG address coordinator for your region. The current coordinator for Silicon Valley is:

Dan Curry, K6DLC - dod1450@mindspring.com

Gateways which use Linux for the IP/IP encapsulation have two AMPRnet addresses. Typical entries look like:

For JNOS:

callsign.ampr.org. 14400 IN A 44.x.y.z
z.y.x.44.in-addr.arpa. 14400 IN PTR callsign.ampr.org.

For Gateway:

callsign-gw.ampr.org. 14400 IN A 44.a.b.c
c.b.a.44.in-addr.arpa. 14400 IN PTR callsign-gw.ampr.org.

 

Second, the gateway's regular public IP address (non-AMPRnet address) entries need to be submitted to your ISP's DNS system. Typically, the ISP has some type of web-based control panel where you can enter the information. Otherwise, you may need to call their help desk and have them make the entry for you.

The updates can take up to 24 hours to propagate, but they typically propagate sooner. In Linux, use "dig hostname" to look up the address record and "dig -x a.b.c.d" to look up the pointer record. In Windows, use nslookup.

 


Submit a New Gateway Entry to the ampr-gateways.org Robot


You need to register your gateway with the robot that maintains gateway information. This will cause your gateway to be listed in three ways:

a) in the gateways text file
b) in the encap.txt list of encaps routes
c) in the RIP updates from the primary AMPRnet gateway at UCSD

Follow the instructions at:

http://www.ampr-gateways.org/updates/updates.html

Example: Assume you want to add a new gateway with the following information:

Public Linux IP address of the gateway: 1.2.3.4

You want your password to be: "mynewpassword"

AMPRnet addresses for JNOS systems behind gateway: 44.w.x.y/z

AMPRnet address for the Linux gateway: 44.a.c.b/32

The gateway maintainer is: Joe Ham, AA6AAA, joe@joeham.org

You want people to know that the gateway is up between 8am and 6pm

Send a PLAIN TEXT e-mail to:

gateways@ampr-gateways.org

From: Use an email address that you want people to use who have questions about your gateway. Your email address will appear in the gateways file.

Subject: The subject line doesn't matter

Body:

Gateway: 1.2.3.4
Password: mynewpassword
New Entry
Subnets: 44.w.x.y/z, 44.a.b.c/32
Maintained by: Joe Ham, A6AAA, joe@joeham.org
Notes: Gateway hours  8am to 6pm

You should get a response back from the gateway within a few minutes. Save the password you used. You will need it to make future changes. NOTE: The robot will update the file at some time in the evening or early morning after changes are submitted. So, your changes may not appear in the file until the following morning. Many sysops only update once nightly (like us), or once a week, or even longer. Some only update when their own systems change. So, even if your end is configured correctly, you may not be able to connect because the other end does not yet have your gateway in their configuration.

 


Configure Your Firewall


Configure your firewall to forward IP/IP traffic to your Linux machine.

This assumes that you have an external firewall, which is a wise precaution when you have a system such as a gateway which will have higher visibility.

Each firewall is different, so the specific commands needed to make this change are beyond the scope of this document. But the general setup is this:

Inbound: Match incoming traffic on the WAN port with a destination address of your gateway's public IP address and protocol type of IP protocol 4 (IPencap) and forward that it to your Linux machine's private LAN address.

Outbound: NAT both the Linux IP and the GW IP to the public IP address.

 


Update the /etc/modules File


In order to use IP/IP encapsulation, Linux needs to load the ipip module.

To see if the module is loaded:

sudo lsmod | grep ipip

Normally, the modules is not loaded, so you will probably get no result.

To load the module temporarily (until Linux restarts):

sudo modprobe ipip

To cause the module to load each time Linux is booted, edit the /etc/modules file. Add a single line, "ipip". When completed, it should look something like this:

sccsysop@gw:/opt/jnos/ampr-gw$ cat /etc/modules

# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be
# loaded at boot time, one per line.
# Lines beginning with "#" are ignored.
lp
ipip

sccsysop@gw:/opt/jnos/ampr-gw$

Then restart Linux and check again with "sudo lsmod | grep ipip".

You should see something like this:

sccsysop@gw:/opt/jnos/ampr-gw$ sudo lsmod | grep ipip
ipip 6704 0=20
tunnel4 2213 1 ipip
sccsysop@gw:/opt/jnos/ampr-gw$

 


Edit the /etc/iproute2/rt_tables File


 

Add two new route tables to the rt_tables file.

The "ampr" table holds the ipip tunnel routes to each AMPRnet gateway.

The "amprdef" table holds an AMPRnet "default" route which is used for traffic originating from one of our AMPRnet addresses. It sends traffic to the main AMPRnet gateway.

Note: this is a slight change from the original ipip.munge script in that it puts the specific AMPRnet routes into a separate table (ampr) instead of the main table. This makes viewing the regular linux routing table MUCH easier. However, it requires iproute2 to be installed.

When completed, your rt_tables files should look something like:

#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
100 ampr
101 amprdef

 


Download the ampr-gw directory from the SCCo FTP Server


Create a new directory to hold the gateway files:

cd /opt/jnos
mkdir ampr-gw

Download the gateway files from the FTP server. FTP to www.scc-ares-races.org.

Copy the files in the FTP server's jnos/ampr-gw directory to your local /opt/jnos/ampr-gw directory.

 


Temporarily Turn OFF the Gateway Start-up Switch


The script in /etc/rc.local looks for a file named ampr-gw.on in the ampr-gw directory. If it exists and is readable, then the gateway startup commands are executed. If not, then the gateway startup is bypassed. For now, we'll make sure that it is off so we can do things manually.

cd /opt/jnos/ampr-gw

If the file "ampr-gw.on" exists, then rename it:

mv ampr-gw.on ampr-gw.off

 


Install the IPtables rules for AMPRnet Gateways


 

Verify that you have the lastest version of the JNOS docs directory.

Download from the FTP server to be safe.

Copy the sample iptables rules to the main jnos directory

cd /opt/jnos/docs
cp sample.iptables.gw_config ../iptables.gw_config

The gateway rules are similar to the inet_config rules except they add support for ipip encapsulation.

Edit the IPtables rules and set the correct values for:

IPIP_IFACE IP/IP tunnel interface name (usually tunl0)
IPIP_IP IP/IP tunnel interface address
JTUN_IFACE JNOS tunnel interface name (usually tun0
JTUN_IP JNOS tunnel interface address

Verify that the rules work properly by flushing the existing rules and installing the gateway rule set:

cd /opt/jnos
sudo utils/iptables.flush; sudo ./iptables.gw_config

You should receive no errors.

 


Verify /etc/rc.local Version


Verify that you have the latest version of /etc/rc.local. The latest version is on the FTP server under jnos/docs/sample.rc.local.

A current version will make use of the iptables.gw_config file, if found, and includes a section to optionally start up the AMPRnet gateway, if the "ampr-gw.on" file exists and is readable.

 


Perform an Initial Download of the "gateways" and "encap.txt" files


The "gateways" file is a text file containing entries for all AMPRnet gateways. Each entry looks like the entry you just created above. This information is NOT to be published except to other gateway administrators.

The file is useful for understanding the capabilities of each gateway and for contacting the gateway administrator, if necessary.

The encap.txt file is a text file containing static routes to all of the other AMPRnet gateways. The encap.txt file is designed to be sourced into autoexec.nos but we will be using it differently.

Use the "get-gateways.sh" script to retrieve the two files.

Example:

$ cd /opt/jnos/ampr-gw
$ sudo ./get-gateways.sh
[sudo] password for sccsysop:
./get-gateways.sh: Fri Mar 11 18:41:45 PST 2011 Backing up old files
./get-gateways.sh: Fri Mar 11 18:41:46 PST 2011 Retrieving new files
./get-gateways.sh: Fri Mar 11 18:41:57 PST 2011 Done
$

Verify that the file timestamps are updated.

Verify that your gateway entry is in the encap.txt file. Example:

$ cd /opt/jnos/ampr-gw
$ grep '11.22.33.44' encap.txt
route addprivate 44.x.y.z/32 encap 11.22.33.44
$

Verify that your gateway entry is in the gateways file. Example:

$ cd /opt/jnos/ampr-gw
$ grep '11.22.33.44' gateways
Gateway: 11.22.33.44
$

Note: The gateways and encap.txt files are only updated periodically. The updates used to occur each night. Now they appear to happen more

frequently.

If your gateway is not listed AND you recently added or changed your gateway address,then you need to wait a while and then download again.

Do not proceed until you have verified that your gateway is properly listed.

 


Edit "ipip.munge" With Your Specific Parameters


CAREFULLY edit the "ipip.munge" script. This script converts the encap.txt file into a set of routing commands for linux.

Set {AMPR} to your gateway's 44.x address. This is the AMPRnet address assigned to the Linux gateway machine. This should be included in one of the subnet ranges listed in the "Subnets:" line when you submitted your gateway record to the ampr-gateways.org robot.

Set {INTADDR} to the PUBLIC internet address of your gateway. This should be the same address that you listed as the "Gateway:" address when you submitted your gateway record to the ampr-gateways.org robot.

NOTE: Our version of the file has been modified to use the "ampr" and "amprdef" routing tables we added in a previous step.

 


Perform an Initial Run of the "make.ipip.route.sh" Script


This script calls the "ipip.munge" script, feeding it "encap.txt" for input and directing the output to "ipip.routes".

$ cd /opt/jnos/ampr-gw
$ ./make.ipip.routes.sh

This should generate a file called ipip.routes in the /opt/jnos/ampr-gw directory. Verify that the timestamp of the resulting ipip.routes file is current.

 


Perform an Initial Run of the "ipip.routes" Script


This script creates individual routes to reach each of the other AMPRnet gateways, as well as some default routes to the UCSD AMPRgw to handle unknown AMPRnet addresses and non-AMPRnet addresses. It must be run as root since it manipulates the routing table.

$ cd /opt/jnos/ampr-gw
$ sudo ./ipip.routes

NOTE: if a second route to the same prefix exists in the ipip.routes script, you will see "RTNETLINK answers: File exists". You can safely ignore the error. Only the first route will be added to the routing table.

 


Edit the "ipip.rules" Script


This script creates rules which tell linux which routing table to use for which traffic.

Set the following variables:

JNOS_AMPR_IP The subnet supported by this gateway
GW_AMPR_IP The AMPRnet address of this gateway

 


Perform an Initial Run of the "ipip.rules" Script


This script creates rules based on source address so that packets with source addresses of 44.x are handled properly.

Before running "ipip.rules", your ip rules table should look like this:

$ ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
$

Read the comments in the ipip.rules script for more detail. It must be run as root since it manipulates the routing rules.

cd /opt/jnos/ampr-gw
sudo ./ipip.rules

After running "ipip.rules", your ip rules table should look something like this:

$ ip rule show
0: from all lookup local
32760: from all to <local nets> lookup main
32761: from all to <JNOS_AMPR_IPs> lookup main
32762: from <JNOS_AMPR_IPs> to 44.0.0.0/8 lookup ampr
32763: from <GW_AMPR_IP> to 44.0.0.0/8 lookup ampr
32764: from <JNOS_AMPR_IPs> lookup amprdef
32765: from <GW_AMPR_IP> lookup amprdef
32766: from all lookup main
32767: from all lookup default
$

The ip rule table is read top down until it finds a match.

 


Verify routing behavior


Pick a public IP address - any address - and perform a route lookup from your linux eth0 address and your linux AMPRnet address. For example:

216.252.122.245 my.yahoo.com
192.168.8.10 linux eth0
192.168.8.1 default gateway
44.4.2.153 linux AMPRnet GW address

Check the route from your default interface (probably eth0) It should point to ("via ...") your LAN's default gateway.

$ ip route get 216.252.122.245
216.252.122.245 via 192.168.8.1 dev eth0 src 192.168.8.10
cache mtu 1500 advmss 1460 hoplimit 64
$

Then check the route from your AMPRnet gw tunnel address. It should point to the main amprgw (169.228.66.251).

$ ip route get 216.252.122.245 from 44.4.2.153
216.252.122.245 from 44.4.2.153 via 169.228.66.251 dev tunl0
cache mtu 1480 advmss 1440 hoplimit 64
$

Note that packets from the AMPRnet gateway address are sent over the tunnel (dev tunl0), while packets from the Linux eth0 interface go out the normal way (dev eth0).

 


Test Outbound Connectivity from Your AMPRnet Address to Internet Hosts


Try connecting to a public IP address/service using your gateway's 44.x.y.z address as the source address.

$ ping -I 44.x.y.z google.com

Example (connect to an SMTP server):

$ telnet -b 44.x.y.z gmail-smtp-in.l.google.com 25

when the server responds, type "QUIT" followed by return to gracefully close the connection.

It is instructive to monitor the traffic on the ethernet and tunnel interfaces while performing these tests. For example, open two terminal windows. In the first one, monitor traffic on the eth0 interface:

$ sudo tcpdump -n -i eth0

In the second one, monitor traffic on the tunl0 interface:

$ sudo tcpdump -n -i tunl0

 


Test Outbound Connectivity from Your AMPRnet Addresses to AMPRnet Hosts


 

From the JNOS console, telnet to a known gateway. Example:

jnos> telnet winnipeg.ampr.org ( 44.135.124.1 Maiko's machine)

Do the same from the gateway's AMPRnet address:

$ ping -I 44.x.y.z winnipeg.ampr.org

Also, check for a list of other known pingable gateways. Since any individual gateway may be down from time to time, it's good to maintain a list of several that are usually up and pingable.

In addition to monitoring the two interfaces listed above, you can also monitor the JNOS to Linux tunnel. Open a third terminal window to monitor the

tun0 interface:

$ sudo tcpdump -n -i tun0

 


Test Inbound Connectivity


You should now be able to connect to your JNOS system in whatever way you have allowed with your firewall. Normally, the configuration allows inbound connections to JNOS only from other 44.x addresses. To test inbound, get an account on another JNOS system on the AMPRnet and ping and telnet back into your system.

Again, you can monitor the activity using tcpdump for diagnostics or learning purposes. If you ever have a connectivity problem, it will be important to understand these tcpdump traces.

 


Configure crontab


Configure crontab (or anacron) to perform the above steps nightly.

$ cd /opt/jnos/ampr-gw
$ sudo cp sample.cron.daily.amprgw /etc/cron.daily/amprgw
$ sudo chown root:root /etc/cron.daily/amprgw

Verify ownership and permissions match other /etc/cron.daily files

$ ls -l /etc/cron.daily

Note: The ipip.rules script should not be re-run in crontab since the rules do not get flushed daily. They are flushed when the machine reboots, so the ipip.rules script is run in /etc/rc.local.

 


Turn On the Gateway Switch


Rename the gateway switch file so that /etc/rc.local will start it up at boot time:

$ cd /opt/jnos/ampr-gw
$ mv ampr-gw.off ampr-gw.on

If you ever want to stop being a gateway, simple rename the file back to ampr-gw.off and reboot.

 


Reboot and Retest


Reboot the Linux system and reverify the inbound and outbound tests above.

 

OPTIONAL:

Complete the following if your gateway serves other JNOS systems:


Configure Route(s) from AMPRnet Gateway to Served BBSs


Now that we've got everything working for inbound connectivity to this the AMPRnet addresses on this machine and to JNOS on this machine, we need to configure route(s) to the other JNOS BBSs that this gateway serves.

This tells linux where to forward incoming traffic to those 44.x addresses.

Start with the sample.node.routes script and edit as required

$ cd /opt/jnos/docs
$ cp sample.node.routes ../<nodename>.routes (i.e. ../w6xsc-2.routes)

Run the script to add the routes. It must be run as root because it changes the routing table.

$ sudo ./<nodename>.routes

Verify that the route is properly configured

Example:

Served BBS 44.4.50.1
Linux AMPRnet Address 44.4.50.14
Linux local address 192.168.21.10

Then:

$ ip route get 44.4.50.1
44.4.50.1 dev tun0 src 182.168.21.10
cache mtu 1500 advmss 1460 hoplimit 64

$ ip route get 44.4.50.1 from 44.4.50.14
44.4.50.1 from 44.4.50.14 dev tun0
cache mtu 1500 advmss 1460 hoplimit 64

 


Configure Route from Served BBSs to AMPRnet Gateway


Each of the served BBSs must have have a route for 44/8 pointing toward the AMPRnet gateway. Prior to configuration of the AMPRnet gateway, the route to 44/8 may have been blackholed (routed to loopback). Change the route in autoexec.nos to point to the AMPRnet gateway. Example:

route addprivate 44.0.0.0/8 <interface> <gateway> <metric>

Then restart JNOS.

You should now be able to ping between the served BBSs and other AMPRnet hosts.

 


Test Inbound Connectivity to Served BBSs


You should now be able to connect to your served BBSs in whatever way you have allowed with your firewall. Typically, connectivity is only allowed from other AMPRnet hosts (44.x addresses).

To test inbound connectivity, obtain a login on a JNOS machine behind another AMPRnet gateway. Then ping and telnet in from the remote machine.

 

 

NEXT STEPS:

-----------

** Determine how multicast RIPv2 advertisements from amprgw are processed. Currently, iptables does not see them. Curious.

-- END OF FILE --