GRE match/accept problem (well documented :)

Peter Rabbitson Sun, 03 Mar 2002 22:43:41 -0800

Hi again. I wrote about this problem several days ago, the proposed solution didn't 
work so I decided to go deeper. What 
follows are different configurations of the INPUT chain and the final result. I don't 
even know if this is a 
misconfiguration or a bug cause this is pretty new to me (GRE tunneling). Any 
suggestions will be highly appreciated.


=====================

Chain INPUT (policy ACCEPT 20 packets, 1680 bytes)
 pkts bytes target     prot opt in     out     source               destination
   20  2160 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
state RELATED,ESTABLISHED
    0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          
LOG flags 4 level 6 prefix `INPUT: '

Tunnel works

=====================

Chain INPUT (policy DROP 20 packets, 1680 bytes)
 pkts bytes target     prot opt in     out     source               destination
   20  2160 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
state RELATED,ESTABLISHED
    0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          
LOG flags 4 level 6 prefix `INPUT: '

Tunnel DOESN'T work (regardles of the fact that first rule matches according to the 
counter)

=====================

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   20  2160 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
   20  1680 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW,RELATED,ESTABLISHED
    0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          
LOG flags 4 level 6 prefix `INPUT: '

Tunnel works

=====================

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   20  2160 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
state RELATED,ESTABLISHED
    0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          
LOG flags 4 level 6 prefix `INPUT: '
   20  1680 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Tunnel DOESN'T work

=====================

I think this should give you an idea. Of course this is not my regular firewall, I 
stripped it down for testing purposes. In
general my goal is to make things work using the second configuration 
-P DROP; -p47 -j ACCEPT; -m state --state ESTABLISHED, RELATED
I am using kernel 2.4.18 (same behavior on .17) with iptable 1.2.5. All netfilter code 
is compiled monolitically in the  
kernel (which eliminates the possibility of a missing module or something like that). 
In all the examples above FORWARD and  
OUTPUT chain counters don't show any dropped packets. Also I can't really explain the 
byte difference in "-p 47" and "-p 
all" rules. If anyone is interested in further investigation of this problem I can 
supply any information like kernel 
confiurations, debug output etc (I don't want to flood the mailing list :)
Best regards
Peter

GRE match/accept problem (well documented :)

Reply via email to