On Mon, Apr 29, 2002 at 04:56:05PM +0300, Dani Arbel wrote: > Hi! > To support GRE tunnel, you would need rules both in INPUT and OUTPUT > chains, since conntrack do not track them.
Right. I knew that the conntrack wouldn't track them because there is no ipt_conntrack_gre module which contains the GRE intelligence. But, thanks. Now I know that INPUT/OUTPUT is the starting/termination points. Ramin > Dani > > On Mon, 29 Apr 2002, Ramin Alidousti wrote: > > > On Sun, Apr 28, 2002 at 09:04:00PM -0400, Mark Orenstein wrote: > > > > > Quoting Ramin Alidousti <[EMAIL PROTECTED]>: > > > > Yes. Once when it comes through the physical interface. There, netfilter > > > > would see it as an IP packet with protocol 47 (GRE). And once when the > > > > packets come out of the GRE tunnel. Here again, netfilter would see IP > > > > packets but the protocol part would be TCP/UDP/ICMP... > > > > > > > > Try these rules to see the association: > > > > > > > > $IPT -A FORWARD -i <physical-interface> -p 47 -j LOG > > > > $IPT -A FORWARD -i <gre-interface> -j LOG > > > > > > > > Ramin > > > > > > > Thanks very much Ramin, one more question though. Would the first rule above > > > actually be in the INPUT chain? I'll be in school tomorrow morning, so I will > > > be able to experiment to get a better understanding. > > > > A very good point Mark. I don't know but having thought about it, what > > you said sounds absolutely right. The first rule might not work as those > > packets are not meant to get routed. Please do test both and let me know > > the outcome. Thank you. > > > > Ramin > > > > > > > > Thanks again, > > > Mark Orenstein > > > East Granby, CT School System > >
