Thank you for all who replay.
I have use tcpdump to check how working iptables
The problem is that "white noise" from bots, hackers etc is incoming from internet and from IP 169.228.66.251. The 169.228.66.251 is main IP router for 44/8 network in internet and unwanted traffic is incoming via IPIP tunnel via 169.228.66.251 for this reason default police in firewall REJECT or DROP, instead of ACCEPT don't help filtering this unwanted traffic.
Pleas use following syntax
tcpdump -i eth0 -n ip proto 4
where eth0 is your internet interface you can see how many frames with source 169.228.66.251 in IPIP which contain frames form boots , scans network , ports your local 44.xx network.
for exmaple:
09:10:09.315252 IP 169.228.66.251 > 192.168.1.2: IP 85.234.252.133.43248 > 44.165.33.1.179: Flags [S], seq 311544230, win 14600, options [mss 1460,sackOK,TS val 7895041 ecr 0,nop,wscale 3], length 0 (ipip-proto-4)
I have try block this traffic by
but not working for me
but one problem with block traffic with source 169.228.66.251 is with information RIP2 09:10:06.730661 IP 169.228.66.251 > 192.168.1.2: IP 44.0.0.1.520 > 224.0.0.9.520: RIPv2, Response, length: 504 (ipip-proto-4)
for this reason I will be block update encap.txt tables via ampr-ripd
Itw ill be nice who write how to use iptables to block nonwanted internet traffic via IPIP with source IP 169.228.66.251 without lose information of RIPv2
We are hamradio and we use amprnet as hobby to run amprnet gateway connect across internet hamradio network and in most case we want to only have links between our local radio network with others hamradio networks and we don't need traffic from internet (boots, hackers , users ) to our local radio networks.
How to run iptables to filter out incoming traffic from intenrte to our local hamradio network via IPIP ????
Please remember that many local amprnet gateways admins are not professional admins and don't have high level knowledge about all problems. Many amprnet gateway have problems with attacks , scans from internet users via traffic incoming from 169.228.66.251 and for thhis reason many radio local networks , servers are not very good protected because many users in local radio network run own WWW server etc without high level protect because they are run/use this server as hobby not processional services.
For my opinion default police on 169.228.66.251 main 44/8 network internet router are set as only pass traffic between amprnet gateways and block internet traffic to amprnet gateways. If anybody like have incoming internet traffic to local 44 radio network you can use for example additional option set ON on portal.ampr..org properties own gateway
73 Waldek SP2ONG
2016-08-20 14:29 GMT+02:00 lleachii--- via 44Net 44net@hamradio.ucsd.edu:
(Please trim inclusions from previous messages) _______________________________________________ To add on to what Rob said.
I also considered you may be simply seeing traffic reaching the inbound side of your tunl0 interface.
This is normal, and is general Internet "white noise" from bots, misconfigured software, viruses, etc. Proper routing and firewalling will ensure that this unwanted traffic is not inputed/forwarded.
- KB3VWG
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net