Hi Marius,
Thanks for your reply.
I already have a rule to accept established/related traffic. I've added
one to the end of the forward chain as you suggested. The blocked
traffic is being logged on the router log.
/ip firewall filter chain=forward action=drop in-interface=ucsd-gw
log=yes log-prefix=""
73
Nick.
On 10/12/2016 13:35, Marius Petrescu wrote:
You do not need to filter every tunnel.
Traffic via the tunnels come only from their endpoints, which are all
44-net machines.
The only tunnel from which you receive traffic from non-44 sources is
the ampr-gw tunnel itself.
The best way to achieve this is to use 2 rules in the forward chain:
1. Accept established/related traffic using for ampr-gw as input
interface (if you need outgoing traffic to the public internet)
2. Drop all the rest for input interface ampr-gw
If you do not want traffic to public IPs from your 44 addresses, just
drop all forwarding from/to the ampr-gw tunnel.
Marius, YO2LOJ
On 2016-12-10 15:05, Nick G4IRX wrote:
(Please trim inclusions from previous messages)
_______________________________________________
I've recently installed Marius YO2LOJ's RIPv2 AMPR Gateway Setup Script
2.2 on a Mikrotik RB450G. RouterOS is version 6.37.3, I have
44.131.56.241 configured on the ucsd-gw interface and 44.131.56.9/29 on
ether5 for my LAN. It seems to work well and I can access 44net hosts
from a 44net machine on the LAN.
I'm filtering traffic on the WAN interface of the router to only permit
ipip traffic, however I still see traffic from outside 44/8 - mainly tcp
syn packets to port 23 appearing on the LAN. These must be coming down
via a tunnel and I'd like to filter them out. I've implemented an output
rule to permit traffic from 44/8 to 44/8 and drop everything else,
applied this to ether5. Is there a better way to implement this? I
would like to filter on the WAN side but that would mean a firewall
input rule on every tunnel.
Thanks,
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net