I am sorry, this was my mistake, man page:
nat This table is consulted when a packet that creates a new connec-
tion is encountered. It consists of three built-ins: PREROUTING
(for altering packets as soon as they come in), OUTPUT (for
altering locally-generated packets before routing), and
POSTROUTING (for altering packets as they are about to go out).
This is what happened:
1. I put a ACCEPT rule in PREROUTING for ESP traffic when client
connects. There is also MASQUERADE rule in the POSTROUTING chain.
2. The client can now do ipsec vpn
3. The client logs out and I remove the ACCEPT rule. There is
catch-all DROP rule in the PREROUTING chain. I was expecting the ESP
"connection" to be terminated.
4. Since the ESP "connection" is already in established state,
later packets never hit the catch-all DROP rule in the PREROUTING chain.
5. The client is happy, since he gets free access:)
I just put some rules in the filter table, FORWARD chain (each and every
packet hits this). Things seem to work OK.
Thanks for all the replies!
Ashwin
-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ming-Ching
Tiew
Sent: Thursday, August 05, 2004 12:36 AM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: [OT] Was: ESP does not hit the nat table
Did you patch the kernel using NAT-T patch ? And
did you turn on the nat_traversal ?
It happens to my system too where I have
nat-t patch, but nat_traversal is disabled (default) in
freeswan configuration, then I put in a rule like this :-
iptables -t nat -I PREROUTING -p esp
When I list the rule, I can't see any packet going thru' it.
Regards.
