On Wednesday 2011-07-20 22:33, Ryan Whelan wrote: >>> >>>iptables -A OUTPUT -p udp --dport 500 -d hostB.example.com -j ACCEPT >>>iptables -A OUTPUT -p tcp --dport 500 -d hostB.example.com -j ACCEPT >>>iptables -A OUTPUT -p esp -d hostB.example.com -j ACCEPT >>>iptables -A OUTPUT -d hostB.example.com -j REJECT >>> >>>but if i remove that the last rule, the 3 rule starts counting matches >>>(the ESP protocol rule). >> >> Sure, because once you are not dropping the original packet in rule >> 4, it has a chance to get encrypted, show up as ESP, and match rule >> 3. > >So the outbound traffic is being processed by netfilter before getting >wrapped by IPSec? Both before and after. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
