Documentation Index
Alphabetic Index
XRPi Documentation - Sysop Commands
IP Commands
Synopsis
IP IP BAN <ipaddr> | LIST IP CONFIG IP HEARD IP QUIET [level] IP ROUTES [ipaddr] [bits] [d|v|n|e|i|r|s|u|k] IP ROUTE ADD <host>[/len] <gateway> <port> [mode [metric]] IP ROUTE ADDPRIVATE <host/bits> encap <gateway> IP ROUTE CMD [0-1] IP ROUTE DROP <host> <len> IP ROUTE DEFAULT <port> [gateway [mode]] IP ROUTE LIST [ipaddr] [bits] [d|v|n|e|i|r|s|u|k] IP ROUTE LOAD IP ROUTE LOOKUP <host> IP TTL [ttl] IP UNBAN <ipaddr>Description
-
The IP commands are used to display and alter some of the IP (Internet Protocol) parameters, and the contents of the table responsible for routing of IP datagrams.
[Internet Protocol is specified in RFC791]
The commands are as follows:
IP
-
When used without arguments, the IP command displays a list of its sub-commands:
ip G8PZT-14:PZT14} Subcmds: BAN, CONFIG, HEARD, QUIET, ROUTE, ROUTES, TTL, UNBAN
IP BAN
-
Syntax: IP BAN <ipaddr> | LIST | PORT <start> [end]
Bans an IP address or TCP port(s), or lists the banned addresses.
Example: IP BAN 202.131.22.127
Datagrams from "banned" IP addresses are silently discarded. This would typically be used to prevent or suppress malicious activity. The "IP BAN LIST" command displays a list of the banned IP addresses, for example:
ip ban list G8PZT-14:PZT14} Banned IP's: IP Address Type Hits Last-hit 192.168.0.100 Auto 10 07/04/19 02:16:18
Only explicit addresses can be banned at present. The ability to ban address ranges may be added if there is sufficient interest.
The "type" field shows "Manual" if the address was added using the IP BAN command, or "Auto" if it was added automatically by XRPi. In the above case the address was added automatically because an attacker entered "root" at the callsign: prompt.
The "hits" field shows how many datagrams were heard (and dropped) since the ban started.
A maximum of 200 addresses can be banned. Automatic banning only works if there are less than 200 "manual" entries, so it pays not to fill up the table with manual entries. If the list fills up, new automatic bans overwrite the oldest automatic ones. Large tables may reduce IP performance
IP addresses are removed from the list using the IP UNBAN command (see below).
A TCP port ban is used to create a "honeypot" to snare attackers. Anyone attempting to connect to a honeypotted TCP port gets an automatic IP ban, preventing them from going any further.
Example: IP BAN PORT 5900
Attackers often start their TCP port probes with "profitable" ports such as 443 and 5900 (TightVNC). By honeypotting 5900 and using a different port for TightVNC, you can reduce the likelihood that an attacker will find your TightVNC port. Once he has tried 5900, he is locked out of the system.
This feature is a legacy from an unreleased later version of XR16, which was used as an Internet router / firewall. It is unlikely to be of much use in XRPi unless you are using it as a firewall.
IP CONFIG
-
Syntax: IP CONFIG
Displays XRPi's IP configuration information, for example:
G8PZT-14:PZT14} IP Configuration: Host Name: b4.gb7pzt.ampr.org Domain Suffix: ampr.org. Primary IP Address: 44.131.93.37 Ethernet LAN: Direct, via own IP stack Default TTL: 127 Stealth Level: 0 (Normal) IP Filtering: Enabled IP Routing Enabled: Via XR ports & Encap modes only IPIP (94) Enabled: Via XR32 ports only IPENCAP (4) Enabled: Via XR ports only IPUDP Enabled: Via XR ports only, UDP: 95 DNS Server(s): Kernal Resolver EthernetPort (7): Description: Ethernet Interface Name: eth0 DHCP Enabled: No Physical Address: 8E:70:A0:B4:A6:60 IP Address: 192.168.0.221 Subnet Mask: 0.0.0.0 EthernetPort (10): Description: Wireless Lan Interface Name: wlan0 DHCP Enabled: No Physical Address: 8E:70:A0:B4:A6:60 IP Address: 192.168.0.222 Subnet Mask: 0.0.0.0 Port (8): Description: AXUDP Link with LinBPQ DHCP Enabled: No IP Address: 192.168.0.34 Subnet Mask: 0.0.0.0 Port (9): Description: AXUDP Link with 2nd XRPi DHCP Enabled: No IP Address: 127.0.0.1 Subnet Mask: 0.0.0.0
This command is useful for verifying that the intended configuration is correct. Not all ports are shown, only those whose IP address differs from the default.
IP HEARD
-
Syntax: IP HEARD
Lists the originating addresses of the IP datagrams that have been heard by XRPi since it was started. For example:
IP Address Last Heard Packets / Bytes 192.168.0.2 07/04/19 06:16:00 113 / 5198 192.168.0.100 07/04/19 02:15:24 6 / 311 (End of list)
The list is limited to 100 entries.
IP QUIET
Syntax: IP QUIET [level]
-
The IP QUIET command is used to display or set XRPi's "stealth" level, i.e. how it responds to ICMP echo requests and TCP port probes. If the level is zero, XRPi behaves normally. If a non-zero argument is supplied, XRPi becomes stealthy. The stealth level is specified by adding together some or all of the following values:
1 Suppress ICMP echo replies. 2 Suppress Protocol unreachable 4 Suppress TCP refusals 8 Suppress all ICMP errors
Example: IP QUIET 15 -- Suppress everything
Whilst IP stealth may be desirable in some situations, it makes life awkward for sysops who rely on ICMP to diagnose problems. You will undoubtedly need to test your own system at some point, and will regret setting this to anything other than zero.
IP ROUTE ADD
-
Syntax: IP ROUTE ADD <host>[/len] <gateway> <port> <mode> [metric]
Example: IP ROUTE ADD 44.131.95.0/24 44.131.95.240 9 d
The ROUTE ADD subcommand adds an entry to the routing table.
<host> is the target host IP address, and [len] is the optional number of bits (0-32) to be matched (from the left). If [len] is not specified, it defaults to 32, i.e. exact match.
For example, 44.131.90.1/32 means "match all 32 bits", whereas 44.131.90.0/24 means "match the most significant 24 bits", and would route all 256 addresses from 44.131.90.0 to 44.131.90.255.
The <gateway> argument is the "the address of a system which can handle the datagram. For direct neighbours, this is the same as the <host> address, or the abbreviation '*' can be used.
The meaning of <port> varies with the [mode]. For (d)atagram and (v)irtual circuit modes, this is the radio port number on which to route the datagram. For encapsulated modes (e,i,u), (n)etrom (r)eject and (s)ilent discard modes, this is ignored and should be 0. For (i)pudp mode, this can optionally specify the UDP service number to use (default=94).
The <mode> argument specifies how the datagram is routed, as follows..
d = Datagram (direct) e = Encap (ip-over-ip protocol 4) i = IPIP (ip-over-ip protocol 94) k = Kernal (i.e. via Linux) n = Netrom (ip-over-netrom) r = Reject s = Silent discard u = IPUDP (ip-over-UDP) v = Virtual circuit (ip-over-ax25)
The usual mode is "datagram". However, on less than perfect RF links, better performance can be obtained by using Virtual Circuit mode.
Netrom mode is less efficient, but can "tunnel" datagrams across non-ip parts of the network.
Encap, IPIP and IPUDP are used for tunneling amateur IP across the public internet.
Reject and Silent discard are used to suppress bouncing and looping.
Kernal mode tells XRPi to use Linux's IP stack for anything matching the entry, but see Caveats below.
Error Messages:
If the route was accepted, the response is "OK", otherwise "Error (n)", where n is one of the following:1 The specified "mode" wasn't recognised. 2 Not enough memory. 10 The specified "port" didn't exist. 11 One or more mandatory field(s) missing. 12 The "host" field was not a valid IP address.
IP ROUTE ADDPRIVATE
-
Syntax: IP ROUTE ADDPRIVATE <host/bits> encap <gateway>
Example: IP ROUTE ADDPRIVATE 44.131.92.0/8 encap 62.31.45.67
The ROUTE ADDPRIVATE subcommand is the same as ROUTE ADD, except that it marks the route "private", hiding it from non-sysops. The regular form has the same syntax as ROUTE ADD and can accept any mode, whereas the shortened form shown above is provided for backward compatibility with "encap.txt", and can only accept mode "encap".
Please do not over-use ADDPRIVATE, as it hinders the diagnosis of networking problems, and many consider it to be contrary to the spirit of Ham Radio.
IP ROUTE CMD
-
Syntax: IP ROUTE CMD [0-1]
IP ROUTE CMD is used to allow / disallow the IP ROUTES and IPR[outes] commands from being used by non-sysops. On amateur networks however, it is considered bad practice to hide IP routing.
The argument is either 0 (disable) or 1 (enable). The latter is the default.
IP ROUTE DEFAULT
-
Syntax: IP ROUTE DEFAULT <port> [gateway [mode]]
Example: IP ROUTE DEFAULT 3 44.131.90.6 v
The IP ROUTE DEFAULT command configures a default route which is used to route datagrams in the absence of any other matching route.
<port> is the radio port number on which to route the datagram.
The optional [gateway] argument specifies the IP address of a system which can handle the datagram. If no gateway is specified, any target routed by this entry is assumed to be a direct neighbour.
The optional [mode] argument specifies how the datagram is routed. See the list of modes in IP ROUTE ADD above. If not specified, the mode defaults to (d)atagram.
IP ROUTE DROP
-
Syntax: IP ROUTE DROP <host> <len>
Example: IP ROUTE DROP 44.131.97.1 32
The ROUTE DROP subcommand removes an entry from the table. Both the target host and the mask must match.
IP ROUTE LIST
-
Syntax: IP ROUTE LIST [ipaddr] [bits] [d|v|n|e|i|r|s|u|k]
The ROUTE LIST subcommand displays XRPi's routing table. This comprises entries from IPROUTE.SYS, ENCAP.TXT, BOOTCMDS.SYS and any manually-entered routes.
This form of the command is provided for the sake of completeness. More compact forms of the command are "IP ROUTES" and "IPR".
The response can be copious, so it can optionally be filtered by IP address(es) and/or mode.
Example: "IP ROUTE LIST e" (Shows only "encap" routes)
Example: "IP ROUTE LIST 44.131.0.0 16" (Shows only UK routes)
IP ROUTE LOAD
-
Syntax: IP ROUTE LOAD
The ROUTE LOAD subcommand clears the existing IP parameters and tables, and reloads them from IPROUTE.SYS.
IP ROUTE LOOKUP
-
Syntax: IP ROUTE LOOKUP <host>
Example: IP ROUTE LOOKUP bbc.co.uk
The ROUTE LOOKUP subcommand displays the gateway and port which XRPi will use to reach a given destination.
IP ROUTES
-
Syntax: IP ROUTES [ipaddr] [bits] [d|v|n|e|i|r|s|u|k]
The ROUTES subcommand displays XRPi's routing table. This comprises entries from IPROUTE.SYS, ENCAP.TXT, BOOTCMDS.SYS and any manually-entered routes.
The shortened form of the command is "IPR". An alternative is IP ROUTE LIST.
The response can be copious, so it can optionally be filtered by IP address(es) and/or mode.
Example: "IP ROUTES e" (Shows only "encap" routes)
Example: "IP ROUTES 44.131.0.0 16" (Shows only UK routes)
IP TTL
-
Syntax: IP TTL [ttl]
Example: IP TTL 25
The TTL subcommand specifies the default "Time To Live" for datagrams originating at this host.
IP UNBAN
-
Syntax: IP UNBAN <ipaddr>
Removes an IP address from the "banned" list.
Example: IP UNBAN 202.131.22.127
See IP BAN above.
Availability
-
The IP ROUTES command is available to all, providing it hasn't been disabled by sysop. The remaining commands are sysop-only.
Files
-
The IP ROUTE ADD, IP ROUTE DEFAULT, IP TTL and IP QUIET commands may be used in IPROUTE.SYS and BOOTCMDS.SYS. But it is more normal to define IP routing in IPROUTE.SYS.
When XRPi boots, it first reads IPROUTE.SYS, then ENCAP.TXT, then finally BOOTCMDS.SYS.
Caveats
-
Mode "k" should be used with caution. It means "Use Linux kernal TCP/IP services to reach this destination", and is intended only as a last resort, e.g. when the EXTERNAL interface is not present.
This mode allows XRPi to originate and terminate TCP, UDP, IPIP, ICMP, AXIP etc using Linux's IP addresses, but not to route unencapsulated IP between Linux and any of XRPi's ports, e.g. from RF to Internet.
Notes
The IP routing table is necessary only for IP, and does not take any part in normal AX25 and Netrom activities. See the full manual for details on how to set up the IP system.
See Also
- IP-PRIMER -- IP Addressing / Routing Primer.
- IPROUTE(1) -- Display IP Routes
- IPROUTE.SYS -- IP Routing / Configuration File