20 Apr
2017
20 Apr
'17
3:51 p.m.
Hi all,
I'm implementing this IPTABLES script:
https://www.cyberciti.biz/faq/block-entier-country-using-iptables/
It should avoid traffic coming from these attackers towards 44-net
hosts belonging to my subnets.
Just some examples:
Apr 20 21:42:52 ks28006 kernel: cn Country DropIN=tunl0 OUT=tun1 MAC=
SRC=180.97.106.162 DST=44.134.224.50 LEN=40 TOS=0x00 PREC=0x00 TTL=231
ID=54321 PROTO=TCP SPT=36243 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 20 21:42:53 ks28006 kernel: cn Country DropIN=tunl0 OUT= MAC=
SRC=119.28.68.144 DST=44.134.0.1 LEN=92 TOS=0x00 PREC=0x00 TTL=51 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=18388 SEQ=1
Apr 20 21:42:53 ks28006 kernel: cn Country DropIN=tunl0 OUT=tun1 MAC=
SRC=182.254.6.23 DST=44.134.160.1 LEN=84 TOS=0x00 PREC=0x00 TTL=43 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=21669 SEQ=4
Apr 20 21:42:53 ks28006 kernel: cn Country DropIN=tunl0 OUT=tun1 MAC=
SRC=119.145.248.226 DST=44.134.192.31 LEN=40 TOS=0x00 PREC=0x00 TTL=238
ID=30562 PROTO=TCP SPT=1235 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 20 21:42:53 ks28006 kernel: cn Country DropIN=tunl0 OUT=tun1 MAC=
SRC=119.145.248.226 DST=44.134.192.31 LEN=40 TOS=0x00 PREC=0x00 TTL=237
ID=30562 PROTO=TCP SPT=1235 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 20 21:42:53 ks28006 kernel: cn Country DropIN=tunl0 OUT= MAC=
SRC=101.226.77.16 DST=44.134.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=47 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=2294 SEQ=4
I'm blocking entire blocks from countries like China, Afghanistan, US,
Brazil, Romania, Russia, Italy (why not?).
I will add at the end the bogon list that Lynwood shared.
Of course, a cleanup of the Ampr.org DNS would help a lot.
Definitely this something I have to do for Italy...
This issue gave me the opportunity to play again with IPTABLES after
many years :)
Regards,
Marco
iw2ohx
On 20/04/2017 19:01, Brian Kantor wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Well, the ipip router at UCSD will drop encap'd packets whose
inner source is not on network 44, and those with BOTH
inner source and destination addresses on network 44.
- Brian
On Thu, Apr 20, 2017 at 06:51:49PM +0200, Marco Di Martino wrote:
It seems that my gateway is the bad one.
I have one rule that redirects the traffic from INET addresses to 44.134.x.x
addresses back again into the tunnel to the amprgw router. It's an old
configuration and I did that to make reachable from Internet a 44net host.
It should work only when a hostname in the Ampr.org DNS is associated to
those 44net IP address.
For sure there's something that I did wrong.
Is this a supported routing configuration? Or am I abusing some policies?
Later this night I will look into that. My idea is to implement some
iptables rules (thanks for sharing) in order to block unwanted traffic.
Sorry for causing this mess!
Regards,
Marco
iw2ohx
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net