Hi,
I have been monitoring traffic coming in via the tunnel and am a bit shocked how much bogus (?) traffic comes in from non-44 addresses.
I have these rules in my firewall script:
/usr/sbin/iptables -P INPUT DROP
# Drop all traffic coming from Internet addresses via the tunnel to PE1ICQnet, except port 8000:8001 to raspberry pi (Dire Wolf).
/usr/sbin/iptables -A INPUT -i ampr0 -s 44.0.0.0/8 -d 44.137.27.123 -p tdp -m multiport --dport 8000:8001 -j ACCEPT
/usr/sbin/iptables -A INPUT -i ampr0 ! -s 44.0.0.0/8 -d 44.137.27.112/28 -j DROP
When I monitor traffic on the tunnel interface with
tcpdump -i ampr0 -vvn
then I see a lot of traffic like this:
15:47:54.172385 IP (tos 0x0, ttl 51, id 60643, offset 0, flags [none], proto ICMP (1), length 98)
119.206.12.19 > 44.137.27.125: ICMP 119.206.12.19 udp port 53 unreachable, length 78
IP (tos 0x28, ttl 234, id 31771, offset 0, flags [DF], proto UDP (17), length 70)
44.137.27.125.29327 > 119.206.12.19.53: [udp sum ok] 31771+ A? ocektarhe.www.2015yf.com. (42)
Remarkable, because at the moment I do not even have ip address 44.137.27.125 in use on the LAN.
How do I need to interpret the above traffic dump? Is it because 44.137.27.125 is spoofed? Is it an attack using bogus domain resolving? (I see a lot of variants in the 2015yf.com domain)
Basically, my question is, should I worry? ;-)
73 PE1ICQ // Arno
Hello Arno.
In my Debian 7.7.0 gateway I use such rules for all amprnet interfaces:
-A INPUT ! -s 44.0.0.0/8 -i tunl0 -j DROP -A INPUT ! -s 44.0.0.0/8 -i tun0 -j DROP -A INPUT ! -s 44.0.0.0/8 -i tun1 -j DROP -A INPUT ! -s 44.0.0.0/8 -i tun2 -j DROP -A INPUT ! -s 44.0.0.0/8 -i sl0 -j DROP -A INPUT ! -s 44.0.0.0/8 -i sl1 -j DROP -A INPUT ! -s 44.0.0.0/8 -i sl2 -j DROP
I do not use -d <IP> (destination address) option at all.
Result: ZERO non-44-net traffic!
Best regards.
-
Arno Verhoeven -
SP2L