Hello, Can you not check the protocol of a forward packet and if encrypted send to a use chain: iptables -N EXTnoipsec iptables -N EXTyesipsec iptables -A INPUT -i ext -p 50 -j EXTyesipsec iptables -A INPUT -i ext ! -p 50 -j EXTnoipsec Michael On Tue, 16 Dec 2003 00:55:41 +0100 (CET) Sven-Haegar Koch <haegar@xxxxxxxxx> wrote: > On Mon, 15 Dec 2003, Antony Stone wrote: > > > On Sunday 14 December 2003 10:30 pm, Peter Hoeg wrote: > > > > > The REAL problem is since I need to allow connections from the > > > wireless LAN segment to go onto the internet and it seems like the > > > connections only hit the FORWARD chain AFTER the kernel has done > > > all its magic with unpacking the encrypted packages. What I would > > > like to do is something like: > > > I have used IPtables + FreeS/WAN a fair amount, and I created a > > diagram some time ago which showed the (surprisingly complex) route > > packets take through the system when you have such a combination. > > FreeS/WAN is different than the in-kernel IPsec of 2.6 > > > 2. The packet gets processed by the Klips kernel-level IPsec module, > > gets decrypted, and appears on the ipsec0 virtual interface. > > The in-kernel ipsec does not have an ipsec0 virtual interface, that is > where the problem come from - I don't see a way yet to destinguish > decapsulated ipsec traffic from eth0 to eth1 from raw traffic between > the two interfaces. > > c'ya > sven > > -- > > The Internet treats censorship as a routing problem, and routes around > it.(John Gilmore on http://www.cygnus.com/~gnu/) >
