add section how to set the port and ip addresses for fou
Signed-off-by: Marek Küthe <m.k@mk16.de>
This commit is contained in:
parent
1455755292
commit
22b7950058
|
@ -82,6 +82,20 @@ The currently used ports can be displayed with the following command:
|
|||
ip fou show
|
||||
```
|
||||
|
||||
If you want to stop using a port for FOU, you can use the following command:
|
||||
```
|
||||
ip fou del port <lport>
|
||||
```
|
||||
|
||||
If the error message `RTNETLINK answers: Invalid argument` appears when stop using a port, this may be because you have not specified exactly which port should not be longer used. If you want to not using a port anymore, you must specify the same parameters as you did when you created it:
|
||||
```
|
||||
$ ip fou show
|
||||
port 5001 gue local 192.168.179.2 peer 192.168.179.3 peer_port 6002
|
||||
$ ip fou del port 5001
|
||||
RTNETLINK answers: Invalid argument
|
||||
$ ip fou del port 5001 gue local 192.168.179.2 peer 192.168.179.3 peer_port 6002
|
||||
```
|
||||
|
||||
If you get the following error message, you can try to load the FOU kernel module:
|
||||
```
|
||||
RTNETLINK answers: No such file or directory
|
||||
|
@ -110,11 +124,6 @@ ip link add <interface> type gre remote <remote> local <local> ttl 255 encap fou
|
|||
```
|
||||
Replace `<rport>` with the remote port of your peer.
|
||||
|
||||
If you want to stop using a port for FOU, you can use the following command:
|
||||
```
|
||||
ip fou del port <lport>
|
||||
```
|
||||
|
||||
### Generic UDP Encapsulation (GUE)
|
||||
|
||||
Use the following command to enable FOU for a port:
|
||||
|
@ -127,3 +136,16 @@ Add the following command to the actual tunnel command:
|
|||
```
|
||||
encap gue encap-dport <rport>
|
||||
```
|
||||
|
||||
### Set souce port and IP addresses manually
|
||||
|
||||
To set the souce port and IP addresses of both peers, there are three additional parameters for fou and one for tunnel:
|
||||
```
|
||||
ip fou add port <lport> [gue|ipproto <proto>] peer_port <rport> local <local> peer <remote>
|
||||
```
|
||||
```
|
||||
ip link add [...] encap [...] encap-sport <lport>
|
||||
```
|
||||
Here `<lport>` is the own port and `<rport>` is the port of the peer. `<local>` is its own IP address and `<remote>` is the IP address of the peer.
|
||||
|
||||
Specifying the source IP address can prevent an attacker with a wrong source IP address from sending an encapsulated tunnel packet (e. g. GRE or SIT) that has the correct source address in the UDP tunnel. However, this procedure does not protect against IP spoofing.
|
||||
|
|
Loading…
Reference in New Issue