> iptables -t nat -j DROP
>
> Will not block ESP traffic.
It's not a valid command, either. In addition to specifying the table (-t nat) to act upon, you also need to specify a command and a chain to operate on; i.e.,
iptables -t nat -A PREROUTING -j DROP
Not that I'm recommending the above rule, but it'll sure drop some traffic...
> On the other hand
>
> iptables -t filter -p 50 -j DROP
>
> will block ESP traffic.
Nope...
iptables -A FORWARD -p 50 -j DROP
Or
iptables -A INPUT -p 50 -j DROP
Or
iptables -A OUTPUT -p 50 -j DROP
("-t filter" is assumed if no "-t" is specified)
<OT>
Where is the new-found obsession with dropping packets in the NAT table coming from?
</OT>
-j
