Hi all,
I'm implementing this IPTABLES script:
https://www.cyberciti.biz/faq/block-entier-country-using-iptables/
It should avoid traffic coming from these attackers towards 44-net hosts belonging to my subnets.
Just some examples:
Apr 20 21:42:52 ks28006 kernel: cn Country DropIN=tunl0 OUT=tun1 MAC= SRC=180.97.106.162 DST=44.134.224.50 LEN=40 TOS=0x00 PREC=0x00 TTL=231 ID=54321 PROTO=TCP SPT=36243 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 Apr 20 21:42:53 ks28006 kernel: cn Country DropIN=tunl0 OUT= MAC= SRC=119.28.68.144 DST=44.134.0.1 LEN=92 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=18388 SEQ=1 Apr 20 21:42:53 ks28006 kernel: cn Country DropIN=tunl0 OUT=tun1 MAC= SRC=182.254.6.23 DST=44.134.160.1 LEN=84 TOS=0x00 PREC=0x00 TTL=43 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=21669 SEQ=4 Apr 20 21:42:53 ks28006 kernel: cn Country DropIN=tunl0 OUT=tun1 MAC= SRC=119.145.248.226 DST=44.134.192.31 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=30562 PROTO=TCP SPT=1235 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 Apr 20 21:42:53 ks28006 kernel: cn Country DropIN=tunl0 OUT=tun1 MAC= SRC=119.145.248.226 DST=44.134.192.31 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=30562 PROTO=TCP SPT=1235 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 Apr 20 21:42:53 ks28006 kernel: cn Country DropIN=tunl0 OUT= MAC= SRC=101.226.77.16 DST=44.134.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2294 SEQ=4
I'm blocking entire blocks from countries like China, Afghanistan, US, Brazil, Romania, Russia, Italy (why not?).
I will add at the end the bogon list that Lynwood shared. Of course, a cleanup of the Ampr.org DNS would help a lot. Definitely this something I have to do for Italy... This issue gave me the opportunity to play again with IPTABLES after many years :)
Regards, Marco iw2ohx
On 20/04/2017 19:01, Brian Kantor wrote:
(Please trim inclusions from previous messages) _______________________________________________ Well, the ipip router at UCSD will drop encap'd packets whose inner source is not on network 44, and those with BOTH inner source and destination addresses on network 44.
- Brian
On Thu, Apr 20, 2017 at 06:51:49PM +0200, Marco Di Martino wrote:
It seems that my gateway is the bad one. I have one rule that redirects the traffic from INET addresses to 44.134.x.x addresses back again into the tunnel to the amprgw router. It's an old configuration and I did that to make reachable from Internet a 44net host. It should work only when a hostname in the Ampr.org DNS is associated to those 44net IP address. For sure there's something that I did wrong. Is this a supported routing configuration? Or am I abusing some policies? Later this night I will look into that. My idea is to implement some iptables rules (thanks for sharing) in order to block unwanted traffic.
Sorry for causing this mess! Regards, Marco iw2ohx
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net