2009/7/9 David Balažic <xerces9@xxxxxxxxx>: > Hmm, I replaced the rule as suggested, but something still does not > work correctly. > > Any idea ? > ... > Maybe add a ACCEPT rule for proto 41 in rule "input_wan" ? I did exactly that: iptables -A input_wan --proto 41 -s 3.4.5.6 -j ACCEPT # 3.4.5.6 is the address of the remote tunnel endpoint host And now it appears to work. I reduced the timeout in /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout to 10 for testing. I also removed the "MASQUERADE !ipv6 -- anywhere anywhere" line and left the original MASQUERADE rule. Thus far, it works. Regards, David -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
