Now I can ping those two other mentioned addresses Well, what I have done up to now is a filter to allow IPIP traffic only from registered IPIP tunnel hosts, but no further. There is no strict "reverse path" checking yet, so anyone with a registered tunnel could in fact spoof traffic for any source IP. Maybe I'll fix that later, but for now I decide to allow traffic that may be routed somewhere else and then forwarded in a tunnel. The main purpose of the filter is to keep out the opportunists on Internet that could try to get around a firewall using tricky tunneled packets, not to regulate what the AMPRnet users can do. (I have seen examples of unwanted IPIP traffic, and lately GRE is a popular target as well, so similar filters are in place to allow GRE only from locally registered GRE endpoints) The filter is done as a -x script called by ampr-ripd when it updates the route table. The script is like this: #!/bin/sh # script called when ampr-ripd updates route table # load encap.txt into ipipfilter list AMPRGW="169.228.66.251" gwfile="/dev/shm/gw" cd /var/lib/ampr-ripd || exit 1 grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile if iptables -N ipipfilter 2>/dev/null then iptables -F ipipfilter iptables -A ipipfilter -s $AMPRGW -j ACCEPT while read ip do iptables -A ipipfilter -s $ip -j ACCEPT done <$gwfile iptables -A ipipfilter -j LOGREJECT else iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \ sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \ while read d ip do case "$d" in ">") iptables -I ipipfilter -s $ip -j ACCEPT ;; "<") iptables -D ipipfilter -s $ip -j ACCEPT ;; *) ;; esac done fi rm -f $gwfile This updates the "ipipfilter" chain that is used in the input firewall like this: iptables -A firewall -p 4 -j ipipfilter I use this method to have some statistics of traffic per endpoint as well, when you don't need that it would be better to use ipset to maintain an address set to be matched by a single iptables line. Rob