|
IPSEC
usually creates a device called ipsec0.
Your
rules specifically says "-i eth0 -o eth1" and doesn't say anything about ipsec0
etc.etc..
Once
your tunnel comes up, the routes for the other network reroute via ipsec0 device
and bypasses your forward rule.
-----Original Message-----
From: Calvin [mailto:calvinproject@xxxxxxxxxxx] Sent: Sunday, June 08, 2003 4:07 PM To: netfilter-devel-request@xxxxxxxxxxxxxxxxxxx; netfilter@xxxxxxxxxxxxxxxxxxx Subject: why packet get through the netfilter even if i drop all in FORWARD Dear all,
I got a funny problem here and got no idea why it
happen.
my simple network is
A
|(eth0)
GWa
||(eth1)
||
||(eth1)
GWb
|(eth0)
I running netfilter with freeswan, I add a rule in
FORWARD chain to drop all packets forward from
internal iface(eth0) to public
iface(eth1).
iptables - A FORWARD -i eth0 -i
eth1 -j DROP
it works fine when , when i try to ping GWb's eth0
from machine A, it get blocked.
however once I start up the IPSEC, I do the ping
again and A can ping GWb's eth0. The rule in FORWARD chain is still
there.
Why does this happen? Is that anyway I can fix
this?
Thanks very much
Calvin
|
