I have IPSec setup between 2 hosts and would like to stop all inter-host traffic thats not secured with IPSec (They have a GRE tunnel between them, and I want to be sure the GRE traffic fails to transmit if the IPSec daemon fails) I'm testing from host hostA, trying to ping hostB. This is what I've tried; allow only output traffic thats part of IPSec to hostB. Else, reject it iptables -A OUTPUT -p udp --dport 500 -d hostB.example.com -j ACCEPT iptables -A OUTPUT -p tcp --dport 500 -d hostB.example.com -j ACCEPT iptables -A OUTPUT -p esp -d hostB.example.com -j ACCEPT iptables -A OUTPUT -d hostB.example.com -j REJECT [root@hostA ~]# iptables -vL Chain INPUT (policy ACCEPT 124 packets, 9920 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 94 packets, 12768 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- any any anywhere hostB.example.com udp dpt:isakmp 0 0 ACCEPT tcp -- any any anywhere hostB.example.com tcp dpt:isakmp 0 0 ACCEPT esp -- any any anywhere hostB.example.com 8 864 REJECT all -- any any anywhere hostB.example.com reject-with icmp-port-unreachable [root@hostA ~]# The reject rule is rejecting all traffic to that host as you can see from the pkt counter. If i remove that rule, everything works and i see the packets get counted on the ESP protocol rule. I thought the rules were processes in order until a match was found. Clearly I'm wrong. Is this possible without much complexity? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
