#!/bin/sh # KB9MWR 07/2019 amprnet routing including rules. # Uses ampr-ripd 1.16.3 by Marius, YO2LOJ # Further explained at: # http://www.qsl.net/kb9mwr/wapr/tcpip/ampr-ripd.html ################################################################## ### ENABLE IP FORWARDING ### sysctl -w net.ipv4.ip_forward=1 ######################################## ### ENABLE IPIP TUNNEL INTERFACE tunl0 ### ### you must enable the tunnel before specifying routes using the tunnel modprobe ipip # My server AmprNet IP ip addr add 44.92.21.1/32 dev tunl0 ### gives tunnel its own TTL of 64 enabling traceroute over tunnel ip tunnel change ttl 64 mode ipip tunl0 ip link set dev tunl0 up ifconfig tunl0 mtu 1480 ######## ### AMPR ROUTING RULES ### # Per PE1CHL: This is required to get routing of the net-44 traffic correct # # and have a default route for the tunneled traffic different from the default # # route of the system. It may be possible to get it working without this, but # # policy based routing is so much easier. # ### Packets to and from the 44 Network use Route Table 44 ip rule add to 44.0.0.0/9 table 44 priority 44 ip rule add to 44.128.0.0/10 table 44 priority 44 ip rule add from 44.92.21.0/24 table 44 priority 45 ####### TABLE 44 ROUTES ### ### Default Route [Internet Access] using AMPRGW for 44/8 hosts (optional) ### do NOT change the IP 169.228.34.84, this is the central AMPR Gateway ### and all traffic leaving AMPRnet towards the internet MUST pass this router. ip route add default dev tunl0 via 169.228.34.84 onlink table 44 # ^new ucsd address 5/2017 # # Adds local 44 Wireless LAN network to Table 44 ip route add 44.92.21.0/24 dev eth1 table 44 #################################### # # For OpenVPN tunnel ip route add 44.92.21.128/25 dev tun0 table 44 # Needed to get data to flow between eth1 and tun0 (OpenVPN): iptables -t nat -A POSTROUTING -s 44.92.21.128/25 -d 44.92.21.0/25 -j MASQUERADE # #Firewall Rules to drop all network 44 traffic #iptables -A INPUT -i tunl0 -p all ! -s 44.0.0.0/9 -j DROP #iptables -A INPUT -i tunl0 -p all ! -s 44.128.0.0/10 -j DROP # #Other good practice rules: # This prevents nested ipencap iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP # This prevents a general loop iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # Drops outbound unassigned IPs from looping though tunl0 via ipencap iptables -I FORWARD ! -s 44.92.21.0/24 -o tunl0 -j DROP # ######################################## ### STARTS THE ampr-ripd ROUTER DAMEON # -s saves routes to /var/lib/ampr-ripd/encap.txt # -r use raw socket instead of multicast # -t routing table to use # -i tunnel interface to use # -p RIPv2 password (latest ampr-ripd defaults to the current valid password) # -a ampr subnets to be ignored (remove your allocation from the table) /usr/sbin/ampr-ripd -s -r -t 44 -i tunl0 -a 44.92.21.0/24