I've sorted the source address and am now originating with a source address of 44.131.14.255.

Now I can ping those two other mentioned addresses

I guess this also highlights another issue, does anyone have a pointer to the correct way to set up filters for this? I have added some quick rules to prevent my gateway being a public IP relay, but it looks like many others have not. I am not sure the correct way to configure these filters for the general use case. I should now be discarding all packets that don't have a source or destination within my network, but I do not check for spoofing beyond that. This should be "good enough"? Clearly, others have gone further.

Well, what I have done up to now is a filter to allow IPIP traffic only from registered IPIP tunnel hosts, but no further. There is no strict "reverse path" checking yet, so anyone with a registered tunnel could in fact spoof traffic for any source IP. Maybe I'll fix that later, but for now I decide to allow traffic that may be routed somewhere else and then forwarded in a tunnel. The main purpose of the filter is to keep out the opportunists on Internet that could try to get around a firewall using tricky tunneled packets, not to regulate what the AMPRnet users can do. (I have seen examples of unwanted IPIP traffic, and lately GRE is a popular target as well, so similar filters are in place to allow GRE only from locally registered GRE endpoints)

The filter is done as a -x script called by ampr-ripd when it updates the route table. The script is like this:

#!/bin/sh # script called when ampr-ripd updates route table # load encap.txt into ipipfilter list

AMPRGW="169.228.66.251" gwfile="/dev/shm/gw"

cd /var/lib/ampr-ripd || exit 1

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

if iptables -N ipipfilter 2>/dev/null then iptables -F ipipfilter iptables -A ipipfilter -s $AMPRGW -j ACCEPT

while read ip do iptables -A ipipfilter -s $ip -j ACCEPT done <$gwfile

iptables -A ipipfilter -j LOGREJECT else iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \ sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \ while read d ip do case "$d" in ">") iptables -I ipipfilter -s $ip -j ACCEPT ;; "<") iptables -D ipipfilter -s $ip -j ACCEPT ;; *) ;; esac done fi

rm -f $gwfile

This updates the "ipipfilter" chain that is used in the input firewall like this:

iptables -A firewall -p 4 -j ipipfilter

I use this method to have some statistics of traffic per endpoint as well, when you don't need that it would be better to use ipset to maintain an address set to be matched by a single iptables line.

Rob