Going thru the archives, you may find posts from me long ago that mentions this behavior. To refresh, I discovered double-encapsulated packets being received all the way at my AMPR LAN (I added the 'general loop' iptables rule below to prevent that). Alot of my original firewall setups in Linux thru OpenWRT 15 was due to discovering the nature of running the tunnel on the same router as your home/business. I also wrote how a malicious person could send packets to your Home LAN and perhaps use it to forward packets back out your Public Interface...I was told thats impossible...BECAUSE ONLY WE HAD ACCESS TO THE IPs IN THE PORTAL! (now you see why I read Chris' emails intently...)
I first observed this and realized one logical reason was to use AMPRNet as a secondary channel to forward packets across the Internet. I surmised at some point, that one day, someone could resort to active means to make the network more efficient for them - either thru tuning their methods, or compromising machines to better control the movement.
Many years ago, it was Team - APT1 sending RDP disconnect signals to tcp/3389 to locate Windows machines; now - its more complex. Below are some firewall rules.
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR # THIS PREVENTS A GENERAL LOOP iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # PREVENTS PACKETS WITHOUT SOURCE IP IN ASSIGNED SUBNET FROM EXITING AMPRLAN iptables -t raw -I PREROUTING ! -s 44.60.44.0/24 -i br-amprnet -j DROP # PREVENTS IP SOURCE ADDRESS SPOOFING FROM YOUR INTERFACE # SEE: https://tools.ietf.org/html/bcp38 # DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP # YOU MUST ADD ACCEPT RULES UNDER THIS LINE TO MAKE EXCEPTIONS iptables -I FORWARD ! -s 44.60.44.0/24 -o tunl0 -j DROP
############################################################ # THIS PREVENTS NESTED IPENCAP iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP
On 04/19/2017 06:04 PM, lleachii@aol.com wrote:
Can someone send me a few lines for iptables that would allow me to drop ipip packets whose inner source addresses are non-44’s”? Much appreciated… jerome - ve7ass
And some bogons lists as well:
# BOGON LIST # SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt ipset -A bogons 0.0.0.0/8 ipset -A bogons 10.0.0.0/8 ipset -A bogons 100.64.0.0/10 ipset -A bogons 127.0.0.0/8 ipset -A bogons 169.254.0.0/16 ipset -A bogons 172.16.0.0/12 ipset -A bogons 192.0.0.0/24 ipset -A bogons 192.0.2.0/24 ipset -A bogons 192.168.0.0/16 ipset -A bogons 198.18.0.0/15 ipset -A bogons 198.51.100.0/24 ipset -A bogons 203.0.113.0/24 ipset -A bogons 224.0.0.0/4 ipset -A bogons 240.0.0.0/4 ipset -A bogons 44.60.44.0/24 ipset -A bogons 44.128.0.0/16
iptables -t raw -I PREROUTING -i eth0.2 -m set --match-set bogons src -j DROP iptables -t raw -I PREROUTING -i tunl0 -m set --match-set bogons src -j DROP
- Lynwood KB3VWG