[nos-bbs] Not Sure if my IPtables forwarding RIP is working

Chris Maness christopher.maness at gmail.com
Sun Dec 18 22:01:48 EST 2022 

Response in your text below.

On Sun, Dec 18, 2022 at 6:47 PM <maiko at pcsinternet.ca> wrote:
>
> IF you have a static IP address, and it's listed in your gateways entry,
> you can use something like this to send ALL incoming IPIP packets direct
> to JNOS via the tun interface between JNOS and linux :
>
>     iptables -t nat -A PREROUTING -i eth0 -p 4 -j DNAT --to-destination
> 192.168.200.201
>

Thank you.

> In the above example 192.168.200.201 is the JNOS SIDE of the tun
> interace.
>
> Of course my JNOS does the IPIP, not linux. You could probably use a
> form of the
> above as well if all you want is just the RIP packets and nothing else ?
>
> Not sure why I am posting this though, since I have the feeling you
> don't have
> a static IP address at your disposal, so what Bob mentioned probably
> applies.
>

I have public 5 statics that are fully exposed to the wild.

I made a stupid mistake as I had set up a new box and did not have IP
forwarding turned on.  So just rebooted and we
will see how it behaves now.

> Maiko
>
> On 2022-12-18 18:08, Chris Maness wrote:
> > Totally got that.  I have that daemon compiled.  I just wanted to see
> > if I could just pipe the RIP into JNOS with IPtables.  I may do it
> > that way, but feel compelled to try to figure out what went wrong with
> > my first idea as I would like to have a better understanding of
> > IPtables.
> >
> > Chris KQ6UP
> >
> > On Sun, Dec 18, 2022 at 2:44 PM Boudewijn (Bob) Tenty <bob at tenty.ca>
> > wrote:
> >>
> >> Oops, I mean to jnos
> >>
> >> On 2022-12-18 17:39, Boudewijn (Bob) Tenty wrote:
> >> > If you want to have the rip broadcast by ucsd populate the route table for ipip in Linux
> >> > you'll need to have a daemon running like, ampr-ripd what is listening for these broadcasts.
> >> > Without a daemon (and so a tunl0 interface) you will see no ipip routes in the table.  If you
> >> > want this to handled by jnos instead, you'll have to forward it jnos. All most all gateway
> >> > operators have a deamon running in Linux.
> >> >
> >> > Bob VE3TOK
> >> >
> >> > On 2022-12-18 11:59, Chris Maness wrote:
> >> >> I cross posted this on Reddit (I am disclaiming that fact as if it is
> >> >> a sin, but don't know why it is a bad thing).  Read virtual host on
> >> >> virtual lan tun/tap tun0 as JNOS and 4.3.2.1 as my GW address that is
> >> >> on eth0 of this machine.
> >> >>
> >> >> I thought I had this right, but I am not seeing packets on the TUN/TAP
> >> >> device to the virtual lan. The host that needs RIP2 data is on
> >> >> 192.168.2.1 using the tun0 TUN/TAP on a Linux host. I am using
> >> >> wireshark to see weather RIP is making it to TUN/TAP, but not sure I
> >> >> understand that device correctly. I was thinking that I can see RIP
> >> >> frames come in on eth0 and then subsequently see them on tun0 as it is
> >> >> listed in wireshark. However, as I was composing this post, I realized
> >> >> that the RIP packet may not need to be retransmitted on tun0 because
> >> >> it acts like a wiretap on eth0 so would not need to have any frames
> >> >> retransmitted on it, but I am not certain in this behavior. However,
> >> >> the bottom line is RIP does not seem to be populating tables on the
> >> >> 192.168.2.1 host. Public IP's in my example here has been obfuscated
> >> >> by 4.3.2.1 -- take that as an IP exposed to the wild. Here are my
> >> >> IPTABLES commands:
> >> >> # iptables -t nat -A PREROUTING --dst 4.3.2.1 -p udp --dport 520 -j
> >> >> DNAT --to-destination 192.168.2.1
> >> >> # iptables -t nat -n -L
> >> >> Chain PREROUTING (policy ACCEPT)
> >> >> target prot opt source destination
> >> >> DNAT udp -- 0.0.0.0/0 4.3.2.1 udp dpt:520 to:192.168.2.1
> >> >> Chain INPUT (policy ACCEPT)
> >> >> target prot opt source destination
> >> >> Chain OUTPUT (policy ACCEPT)
> >> >> target prot opt source destination
> >> >> Chain POSTROUTING (policy ACCEPT)
> >> >> target prot opt source destination
> >> >> ###
> >> >> I hope that is clear as to what I am trying to accomplish, and weather
> >> >> or not this should work.
> >> >> Thanks in advance,
> >> >> Chris KQ6UP
> >> >>
> >> --
> >> There is nothing permanent except change
> >>
> >> -Heraclitus
> >>
> >>
> >> _______________________________________________
> >> nos-bbs mailing list
> >> nos-bbs at lists.tapr.org
> >> http://lists.tapr.org/mailman/listinfo/nos-bbs_lists.tapr.org



-- 
Thanks,
Chris Maness

More information about the nos-bbs mailing list