Please keep in mind though, the malicious traffic I observed did not originally come from AMPRGW. I originally observed the nested IPENCAP traffic from a Polish Public IP that's still currently registered as an AMPRNet gateway.
As you know in later Linux kernels it became more difficult to see the outer header of the IPIP packet in a firewall rule handling the tunneled traffic. To circumvent that, a couple of years ago I added a rule to the firewall that sets a packet mark on traffic received from AMPRGW (matching the source IP in the outer header). This packet mark can then be checked in the firewall for the tunneled traffic. Source addresses outside AMPRnet are only accepted when the packet mark is set. Unfortunately this breaks legitimate traffic because some gateways are incorrectly configured (as I mentioned before) and send tunneled traffic with their own external address as source address, instead of the AMPRnet address assigned to the gateway. So such traffic is accepted as well here (i.e. traffic with a source address of one of the gateways)
We really should abandon the IPIP tunnel mesh and move on to something a bit more secure (and easier to use on modern equipment)...
Rob