RE: why packet get through the netfilter even if i drop all in FORWARD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



IPSEC usually creates a device called ipsec0.
Your rules specifically says "-i eth0 -o eth1" and doesn't say anything about ipsec0 etc.etc..
Once your tunnel comes up, the routes for the other network reroute via ipsec0 device and bypasses your forward rule.
 
-----Original Message-----
From: Calvin [mailto:calvinproject@xxxxxxxxxxx]
Sent: Sunday, June 08, 2003 4:07 PM
To: netfilter-devel-request@xxxxxxxxxxxxxxxxxxx; netfilter@xxxxxxxxxxxxxxxxxxx
Subject: why packet get through the netfilter even if i drop all in FORWARD

Dear all,
 
I got a funny problem here and got no idea why it happen.
my simple network is
A
 |(eth0)
GWa
||(eth1)
||
||(eth1)
GWb
|(eth0)
 
I running netfilter with freeswan, I add a rule in FORWARD chain to drop all packets forward from
internal iface(eth0) to public iface(eth1).
    iptables - A FORWARD -i eth0 -i eth1 -j DROP
 
it works fine when , when i try to ping GWb's eth0 from machine A, it get blocked.
 
however once I start up the IPSEC, I do the ping again and A can ping GWb's eth0. The rule in FORWARD chain is still there.
 
Why does this happen? Is that anyway I can fix this?
 
Thanks very much
Calvin
 

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux