From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: new iptables policy match Date: Thu, 12 Jan 2006 11:53:02 +0100 Message-ID: <43C6350E.4020809@trash.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: netfilter-devel@lists.netfilter.org Return-path: To: Marco Berizzi In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Marco Berizzi wrote: > > Patrick McHardy wrote: > >> Marco Berizzi wrote: >> >>> Ok, my fault sorry. Here is my corrected (I hope) iptables rules: >>> >>> iptables -P FORWARD DROP >>> iptables -F >>> >>> iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel >>> --tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 -j DROP >>> iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel >>> --tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 -j DROP >>> >>> iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel >>> --tunnel-src 10.1.2.0/24 --tunnel-dst 10.1.1.0/24 -j DROP >>> iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel >>> --tunnel-dst 10.1.2.0/24 --tunnel-src 10.1.1.0/24 -j DROP >>> > root@Calimero:/usr/src/linux-2.6.15/net/ipv4/netfilter# ip xfrm policy > src 10.1.1.0/24 dst 10.1.2.0/24 > dir in priority 2344 > tmpl src 172.16.1.226 dst 172.16.1.247 These are the addresses you need to use for --tunnel-src/dst, not the outer addresses. Those can be match with -s and -d are usual.