On Wednesday 2011-07-20 21:20, Ryan Whelan wrote: >I have IPSec setup between 2 hosts and would like to stop all >inter-host traffic thats not secured with IPSec (They have a GRE >tunnel between them, and I want to be sure the GRE traffic fails to >transmit if the IPSec daemon fails) > >iptables -A OUTPUT -p udp --dport 500 -d hostB.example.com -j ACCEPT >iptables -A OUTPUT -p tcp --dport 500 -d hostB.example.com -j ACCEPT >iptables -A OUTPUT -p esp -d hostB.example.com -j ACCEPT >iptables -A OUTPUT -d hostB.example.com -j REJECT > >The reject rule is rejecting all traffic to that host[...] >If i remove that rule, everything works and i >see the packets get counted on the ESP protocol rule. I thought the >rules were processes in order until a match was found. Clearly I'm >wrong. They are indeed processed in order, and until a match is found -- and match _was_ found (packet which has dst=hostB, which is not ESP, and which does not have tcpudp-500 in its headers). A `ping hostB` would match the criteria of this 4th rules, as would opening http://hostB.example.com in a browser, for example. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html