On Friday 2010-04-02 09:27, Dennison Williams wrote: >Before brining up the vpn I flush both mangle/PREROUTING and >filter/INPUT tables: ># iptables -t filter -Z ># iptables -t mangle -Z PREROUTING > Deparsing this mess.. >I then succesfully bring up the vpn connection and provide a count of >the two tables: ># iptables -t filter -L INPUT -vxn >Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out >source destination > 0 0 REJECT all -- !lo * >0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable > 374 37299 Accounting all -- * * >0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- lo * >0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- eth2 * >0.0.0.0/0 0.0.0.0/0 > 371 36320 ACCEPT all -- * * >0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 1 620 ACCEPT all -- eth1 * >0.0.0.0/0 0.0.0.0/0 mark match 0x1 There is your mark-1 packet, and right above it is the ESTABLISHED rule that catches all the other packets that have this condition, including those marked 1 which are subsequent in the IKE talk. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
