On Mon, Mar 04, 2002 at 02:00:36AM -0500, Peter Rabbitson wrote: > ===================== > > Chain INPUT (policy ACCEPT 20 packets, 1680 bytes) > pkts bytes target prot opt in out source destination > 20 2160 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > state RELATED,ESTABLISHED > 0 0 LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > LOG flags 4 level 6 prefix `INPUT: ' > > Tunnel works > > ===================== > > Chain INPUT (policy DROP 20 packets, 1680 bytes) > pkts bytes target prot opt in out source destination > 20 2160 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > state RELATED,ESTABLISHED > 0 0 LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > LOG flags 4 level 6 prefix `INPUT: ' > > Tunnel DOESN'T work (regardles of the fact that first rule matches according > to the counter)
Where is this configuration different from the configuration above? Either I am blind or there is no difference. > > ===================== > > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 20 2160 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 > 20 1680 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > state NEW,RELATED,ESTABLISHED > 0 0 LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > LOG flags 4 level 6 prefix `INPUT: ' > > Tunnel works This shouldn't make any difference from the ruleset above, as you can see the ACCEPT -p 47 rule matches the same number of packets. However, a number of other packets are now accepted, which were dropped by the default policy in the example #2. So from my point of view you are running something which uses a tcp or udp control session, but a GRE data session. And you are dropping the control channel since you don't explicitly accept it. What kind of GRE protocol are you talking about? > Peter -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)