On Wed, Jul 20, 2011 at 4:34 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > On Wednesday 2011-07-20 22:33, Ryan Whelan wrote: >>>> >>>>iptables -A OUTPUT -p udp --dport 500 -d hostB.example.com -j ACCEPT >>>>iptables -A OUTPUT -p tcp --dport 500 -d hostB.example.com -j ACCEPT >>>>iptables -A OUTPUT -p esp -d hostB.example.com -j ACCEPT >>>>iptables -A OUTPUT -d hostB.example.com -j REJECT >>>> >>>>but if i remove that the last rule, the 3 rule starts counting matches >>>>(the ESP protocol rule). >>> >>> Sure, because once you are not dropping the original packet in rule >>> 4, it has a chance to get encrypted, show up as ESP, and match rule >>> 3. >> >>So the outbound traffic is being processed by netfilter before getting >>wrapped by IPSec? > > Both before and after. > Is there a way to accomplish this? Maybe a way to only accept a non-esp packets if it destined for the ipsec stack; is that possible? The only other recourse I can think of is dropping on the receiving side any non-esp packets. Thats better than nothing, but I'd like to not send anything unencrypted if possible. These machines will be forwarding more traffic than they originate. Should I put this filtering on the `mangle` to catch both forwarded and sent packets? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
