alright--let's reset here. this is how i understand the situation: you have two machines: 192.168.1.1 (skyron) 192.168.1.2 (gigabyte) there's an IPSec tunnel setup between the two machines to encrypt all traffic between them. you are trying to initiate an SSH connection from 192.168.1.1 to 192.168.1.2. 192.168.1.2 is running iptables. with no rules loaded on 192.168.1.2, the SSH connection from 192.168.1.1 succeeds. once you load a basic ruleset on 192.168.1.2--the ACK packets from 192.168.1.2 to 192.168.1.1 get dropped in the OUTPUT chain which allows "-m state --state ESTABLISHED" packets. is *all* of the above precisely correct? if not--where am i losing it? -j
