hi, i have a simple GRE/IPsec config between two hosts (2.6.32 kernel, iptables ver1.3.5). i have a GRE tunnel setup between the hosts and have IPsec auth+encrypt the GRE traffic (only) in transport mode. i'd like to ensure that no unecrypted GRE packets are sent (and accepted) over the physical network. only IPsec encapsulated ones should be. i.e. no GRE pkts should be ever seen on the physical wire (outgoing). my filter table chains look like this: ---------- Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 2 328 ACCEPT ah -- eth0 * 0.0.0.0/0 0.0.0.0/0 .... Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable ... Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT ah -- * eth0 0.0.0.0/0 0.0.0.0/0 .... ----------- the above configuration, does NOT work (i thought it would ;-). it only works when i open up protocol 47 (gre) on eth0 (both on INPUT and OUTPUT chain). but that may cause naked GRE pkts to be sent out on eth0 (due to some mis-configuration with IPsec or something else). is there a way i can prevent this from happening via iptables? and secondly, i am bit confused on the input+output path taken by GRE packets. can someone please outline that path (w.r.t iptables). it seems with GRE/IPsec config, the packet makes two passes over the netdevice (as my packet counters tell me). i was expecting just one pass (and hence my initial (above listed) config -- which did not work :-) thanks! abhijit ps: i am not subscribed to this list. please do Cc: me the replies -- thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
