On Monday 2010-07-19 15:34, Richard Knight wrote: >> >> Yes; -m policy applies to the in-tunnel packets only. > >Ah, thanks. so for instance to block telnet through my tunnel I could add a >rule like this > >$IP6_TABLES -I INPUT 1 -i $EXIF -p tcp --destination-port 23 -m policy >--dir in --pol ipsec -j REJECT For something as evil^W insecure as telnet, I'd drop the -m policy portion and just always block it, tunneled or not :-) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html