Thomas Heinz wrote:
Hi Marco Thanks for your reply. You wrote: > You aren't seeing the clear text packet > because because you should log also the > FORWARD chain: 'iptables -I FORWARD -j LOG' > > > This has been observed in e.g. this thread: > > http://marc.theaimsgroup.com/?l=netfilter-devel&m=114010374229806&w=2 > > > > However, I don't see any solution. What is your approach to filter > > cleartext packets? > > You must filter packets in the FORWARD > chain, nor INPUT nor OUTPUT The packets do not traverse the FORWARD chain. I just added log rule, i.e. 'iptables -I FORWARD -j LOG'. Even after issueing 'iptables -I FORWARD -j DROP', the ipsec connection works perfectly (assuming that I accept PROTO=4 packets).
Apologies, I misread your post.
BTW, I used 2.6.16 this time since I currently cannot restart the system. In fact, I would be surprised to see either the ESP or the cleartext packet in FORWARD since both are destined to the local host.
Yes sure, my fault. What are you policy for INPUT and OUTPUT chain? ACCEPT or DROP?
