On Wed, Jul 20, 2011 at 3:56 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > > On Wednesday 2011-07-20 21:20, Ryan Whelan wrote: > >>I have IPSec setup between 2 hosts and would like to stop all >>inter-host traffic thats not secured with IPSec (They have a GRE >>tunnel between them, and I want to be sure the GRE traffic fails to >>transmit if the IPSec daemon fails) >> >>iptables -A OUTPUT -p udp --dport 500 -d hostB.example.com -j ACCEPT >>iptables -A OUTPUT -p tcp --dport 500 -d hostB.example.com -j ACCEPT >>iptables -A OUTPUT -p esp -d hostB.example.com -j ACCEPT >>iptables -A OUTPUT -d hostB.example.com -j REJECT >> >>The reject rule is rejecting all traffic to that host[...] >>If i remove that rule, everything works and i >>see the packets get counted on the ESP protocol rule. I thought the >>rules were processes in order until a match was found. Clearly I'm >>wrong. > > They are indeed processed in order, and until a match is found -- > and match _was_ found (packet which has dst=hostB, which is not > ESP, and which does not have tcpudp-500 in its headers). > > A `ping hostB` would match the criteria of this 4th rules, as would > opening http://hostB.example.com in a browser, for example. > but if i remove that the last rule, the 3 rule starts counting matches (the ESP protocol rule). If that rule matches, why does it continue to look at rule 4 if rule 3 matches? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
