From 22b7950058078c730aa992f48d41e011b187153c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Tue, 3 Jan 2023 02:32:28 +0100 Subject: [PATCH] add section how to set the port and ip addresses for fou MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/iptunnel.md | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/docs/tunneling/iptunnel.md b/docs/tunneling/iptunnel.md index 3eaee1f..ee4dc6b 100644 --- a/docs/tunneling/iptunnel.md +++ b/docs/tunneling/iptunnel.md @@ -82,6 +82,20 @@ The currently used ports can be displayed with the following command: ip fou show ``` +If you want to stop using a port for FOU, you can use the following command: +``` +ip fou del port +``` + +If the error message `RTNETLINK answers: Invalid argument` appears when stop using a port, this may be because you have not specified exactly which port should not be longer used. If you want to not using a port anymore, you must specify the same parameters as you did when you created it: +``` +$ ip fou show +port 5001 gue local 192.168.179.2 peer 192.168.179.3 peer_port 6002 +$ ip fou del port 5001 +RTNETLINK answers: Invalid argument +$ ip fou del port 5001 gue local 192.168.179.2 peer 192.168.179.3 peer_port 6002 +``` + If you get the following error message, you can try to load the FOU kernel module: ``` RTNETLINK answers: No such file or directory @@ -110,11 +124,6 @@ ip link add type gre remote local ttl 255 encap fou ``` Replace `` with the remote port of your peer. -If you want to stop using a port for FOU, you can use the following command: -``` -ip fou del port -``` - ### Generic UDP Encapsulation (GUE) Use the following command to enable FOU for a port: @@ -127,3 +136,16 @@ Add the following command to the actual tunnel command: ``` encap gue encap-dport ``` + +### Set souce port and IP addresses manually + +To set the souce port and IP addresses of both peers, there are three additional parameters for fou and one for tunnel: +``` +ip fou add port [gue|ipproto ] peer_port local peer +``` +``` +ip link add [...] encap [...] encap-sport +``` +Here `` is the own port and `` is the port of the peer. `` is its own IP address and `` is the IP address of the peer. + +Specifying the source IP address can prevent an attacker with a wrong source IP address from sending an encapsulated tunnel packet (e. g. GRE or SIT) that has the correct source address in the UDP tunnel. However, this procedure does not protect against IP spoofing.