A couple emails saved from the list on the topic of securing protocol 4 (ipencap / ipip) and only allowing connections from other ampr gateways.
Subject: Re: load_ipipfilter.sh
From: lleachii@...
Date: Sat, 27 May 2017 23:21:51 -0400
All,
-----------------------------------------------------------------------------------------
I place this so that it runs during startup (and bootstraps AMPRGW's IP):
----------------------------------------------------------------------------------------
# LOAD AMPR ipipfilter INPUT RULE
# ipset is an extension to iptables that allows you to create firewall rules that
# match entire "sets" of addresses at once.
ipset create ipipfilter hash:ip
ipset -A ipipfilter 169.228.34.84
-------------------------------------------------------------------------------------------------------------------------------------------
I place this in a Shell script (load_ipipfilter.sh) so it's executed after each route update via the ampr-ripd
-x argument
-------------------------------------------------------------------------------------------------------------------------------------------
#!/bin/sh # This script load_ipipfilter.sh is executed by Marius, YO2LOJ's ampr-ripd routing daemon it # loads the saved routes (/var/lib/ampr-ripd/encap.txt) into the ipipfilter ipset list PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbi n:/bin" AMPRGW="169.228.34.84" gwfile="/tmp/gw" cd /var/lib/ampr-ripd || exit 1 grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile ipset -N ipipfilter hash:ip 2>/dev/null if [ $? -eq 0 ] then ipset flush ipipfilter ipset -A ipipfilter $AMPRGW while read ip do ipset -A ipipfilter $ip done <$gwfile else ipset flush ipipfilter ipset -A ipipfilter $AMPRGW while read ip do ipset -A ipipfilter $ip done <$gwfile fi rm -f $gwfile
iptables -t filter -I INPUT -p 4 -i eth0 -m set --match-set ipipfilter src -j ACCEPT
73, - Lynwood KB3VWG
[44net] ampr-ripd 1.12 released
From: "Marius Petrescu" <marius at yo2loj.ro
Date: 11/16/2014 01:36 PM
To: AMPRNet working group
Hello OMs,
Following the idea from Rob, PE1CHL, I added the possibility to execute a
system command from ampr-ripd if routes are set or changed. This will happen on startup, after an existing encap is found in
/var/lib/ampr-ripd, or after 30 seconds after a RIP update, if there is a change in the encap data (AFTER saving the new encap file if requested).
Thanks Marius! I have installed it on my own gateway and the 44.137 gateway and
first tests shows it works fine.
For the others: I requested this feature to modify a firewall when gateways change
address. Before I accepted IPIP packets from everyone, but this is a weakness in the
system that maybe could be exploited. I observed rogue IPIP packets from the far east.
So instead of:
iptables -A firewall -p 4 -j ACCEPT
on the incoming interface, I now have:
iptables -A firewall -p 4 -j ipipfilter
and I have the following script that inserts/updates the ipipfilter list:
-----
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" AMPRGW="169.228.66.251" gwfile="/tmp/gw" cd /var/lib/ampr-ripd || exit 1 grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile if iptables -N ipipfilter 2>/dev/null then iptables -F ipipfilter iptables -A ipipfilter -s $AMPRGW -j ACCEPT while read ip do iptables -A ipipfilter -s $ip -j ACCEPT done <$gwfile iptables -A ipipfilter -j DROP else iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \ sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \ while read d ip do case "$d" in ">") iptables -I ipipfilter -s $ip -j ACCEPT ;; "<") iptables -D ipipfilter -s $ip -j ACCEPT ;; *) ;; esac done fi rm -f $gwfileThe full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x option to ampr-ripd. It will load the entire filter the first time, and later it will only update the filters that have changed. It is required that the -s option is passed as well, so the encap.txt file is created by ampr-ripd. Now I only accept IPIP packets from addresses in the gateway list, which makes me feel a bit safer. (of course sanity checks were already done on the incoming IPIP packets) Rob, PE1CHL