A couple emails saved from the list on the topic of securing protocol 4 (ipencap / ipip) and only allowing connections from other ampr gateways.


Subject: Re: load_ipipfilter.sh
From: lleachii@...
Date: Sat, 27 May 2017 23:21:51 -0400

All,

-----------------------------------------------------------------------------------------
I place this so that it runs during startup (and bootstraps AMPRGW's IP):
----------------------------------------------------------------------------------------

# LOAD AMPR ipipfilter INPUT RULE

# ipset is an extension to iptables that allows you to create firewall rules that 
# match entire "sets" of addresses at once.
ipset create ipipfilter hash:ip
ipset -A ipipfilter 169.228.34.84

-------------------------------------------------------------------------------------------------------------------------------------------
I place this in a Shell script (load_ipipfilter.sh) so it's executed after each route update via the ampr-ripd -x argument
-------------------------------------------------------------------------------------------------------------------------------------------

#!/bin/sh
# This script load_ipipfilter.sh is executed by Marius, YO2LOJ's  ampr-ripd routing daemon it 
# loads the saved routes (/var/lib/ampr-ripd/encap.txt) into the ipipfilter ipset list
  
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="169.228.34.84"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

ipset -N ipipfilter hash:ip 2>/dev/null
if [ $? -eq 0 ]
then
      ipset flush ipipfilter
      ipset -A ipipfilter $AMPRGW


      while read ip
      do
          ipset -A ipipfilter $ip
      done <$gwfile

else
  ipset flush ipipfilter
      ipset -A ipipfilter $AMPRGW

      while read ip
      do
          ipset -A ipipfilter $ip
      done <$gwfile

fi

rm -f $gwfile

-------------------------------------------------------------------------------------------- 
This is my firewall rule, it locks protocol 4 (ipip /ipencap) to know addresses 
-------------------------------------------------------------------------------------------- 

iptables -t filter -I INPUT -p 4 -i eth0 -m set --match-set ipipfilter src -j ACCEPT 

73, - Lynwood KB3VWG


[44net] ampr-ripd 1.12 released
From: "Marius Petrescu" <marius at yo2loj.ro 
Date: 11/16/2014 01:36 PM
To: AMPRNet working group

Hello OMs,

Following the idea from Rob, PE1CHL, I added the possibility to execute a  system command from ampr-ripd if routes are set or changed. This will happen on startup, after an existing encap is found in /var/lib/ampr-ripd, or after 30 seconds after a RIP update, if there is a change in the encap data (AFTER saving the new encap file if requested).

Thanks Marius! I have installed it on my own gateway and the 44.137 gateway and first tests shows it works fine.

For the others: I requested this feature to modify a firewall when gateways change address. Before I accepted IPIP packets from everyone, but this is a weakness in the system that maybe could be exploited. I observed rogue IPIP packets from the far east.

So instead of:

iptables -A firewall -p 4 -j ACCEPT

on the incoming interface, I now have:

iptables -A firewall -p 4 -j ipipfilter

and I have the following script that inserts/updates the ipipfilter list:
-----

  
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="169.228.66.251"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

if iptables -N ipipfilter 2>/dev/null
then
     iptables -F ipipfilter
     iptables -A ipipfilter -s $AMPRGW -j ACCEPT

     while read ip
     do
         iptables -A ipipfilter -s $ip -j ACCEPT
     done <$gwfile

     iptables -A ipipfilter -j DROP
else
     iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
         sed -e 's/.*--  //' -e 's/ .*//' | sort | diff - $gwfile | \
         while read d ip
         do
             case "$d" in
             ">")
                 iptables -I ipipfilter -s $ip -j ACCEPT
                 ;;
             "<")
                 iptables -D ipipfilter -s $ip -j ACCEPT
                 ;;
             *)
                 ;;
             esac
         done
fi

rm -f $gwfile
The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x option to ampr-ripd. It will load the entire filter the first time, and later it will only update the filters that have changed. It is required that the -s option is passed as well, so the encap.txt file is created by ampr-ripd. Now I only accept IPIP packets from addresses in the gateway list, which makes me feel a bit safer. (of course sanity checks were already done on the incoming IPIP packets) Rob, PE1CHL