From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: ipsec with 2.6.16-rc3-git6 Date: Fri, 17 Feb 2006 10:29:50 +0100 Message-ID: <43F5978E.8010203@trash.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: netfilter-devel@lists.netfilter.org Return-path: To: Marco Berizzi In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Marco Berizzi wrote: > > Patrick McHardy wrote: > >> I can't see a mistake. Can you please add a logging rule to log >> the packets that get dropped without the ACCEPT rule? > > > Sure! Here is: > > root@Halley:/tmp# iptables -D INPUT -s venezia-gateway -j ACCEPT > > [started ping from a venezia private host ----> to firenze private host] > > root@Halley:/tmp# iptables -I INPUT -s venezia-gateway -j LOG > --log-level debug --log-ip-options > > IN=eth0 OUT= MAC=00:90:27:74:66:4c:00:0c:ce:93:65:ce:08:00 > SRC=venezia-gateway DST=firenze-gateway LEN=112 TOS=0x00 PREC=0x00 > TTL=53 ID=45921 PROTO=ESP SPI=0x583f3ff9 > IN=eth0 OUT= MAC=00:90:27:74:66:4c:00:0c:ce:93:65:ce:08:00 > SRC=venezia-gateway DST=firenze-gateway LEN=80 TOS=0x00 PREC=0x00 TTL=53 > ID=45921 PROTO=4 Thats odd, these packets should be caught by your ESP rule, so I guess they must be dropped by another rule. Please post your full ruleset with iptables -vxnL.