The problem with that is that it will also drop the legitimate internet traffic that is coming in via the gateway. So, when you want connectivity to/from internet, it has to be more complicated than that. You will need to put a rule in the mangle table for protocol 4 traffic arriving from the gateway, and add some packet mark to the packet, then in the above rule you exclude the packets with that mark. Like this: iptables -t mangle -A PREROUTING -p 4 -s 169.228.66.251 -j MARK --set-mark 1 and in the above rules add before the -j: -m mark ! --mark 1 When you are inside a BGP routed subnet that also is on the tunnel mesh (like 44.137.0.0/16) you will have to change the 169.228.66.251 to the address of your local gateway. And of course, now you make yourself vulnerable again for dedicated attacks that spoof the address of the gateway to send tunneled packets. So it remains mandatory to treat the traffic received via the tunnels as hostile from-internet traffic! Rob