why packet get through the netfilter even if i drop all in FORWARD

why packet get through the netfilter even if i drop all in FORWARD

[Calvin]

[-- Attachment #1: Type: text/plain, Size: 645 bytes --]

Dear all,

I got a funny problem here and got no idea why it happen.
my simple network is
A
 |(eth0)
GWa
||(eth1)
||
||(eth1)
GWb
|(eth0)

I running netfilter with freeswan, I add a rule in FORWARD chain to drop all packets forward from
internal iface(eth0) to public iface(eth1).
    iptables - A FORWARD -i eth0 -i eth1 -j DROP

it works fine when , when i try to ping GWb's eth0 from machine A, it get blocked.

however once I start up the IPSEC, I do the ping again and A can ping GWb's eth0. The rule in FORWARD chain is still there.

Why does this happen? Is that anyway I can fix this?

Thanks very much
Calvin


[-- Attachment #2: Type: text/html, Size: 2075 bytes --]

Re: why packet get through the netfilter even if i drop all in FORWARD

[Julian Gomez]

On Sun, Jun 08, 2003 at 04:07:11PM +1000, Calvin spoke thusly:
>I running netfilter with freeswan, I add a rule in FORWARD chain to drop
>all packets forward from internal iface(eth0) to public iface(eth1).
>    iptables - A FORWARD -i eth0 -i eth1 -j DROP

Should that be 'iptables -A OUTPUT -i eth0 -o eth1 -j DROP' instead ?

>however once I start up the IPSEC, I do the ping again and A can ping
>GWb's eth0. The rule in FORWARD chain is still there.

iptables -A OUTPUT -p all -o eth1 -d GWb-IP-address -j DROP

>Why does this happen? Is that anyway I can fix this?

Explain your IPsec setup in detail, and then we can give you a proper
answer without guesswork.

RE: why packet get through the netfilter even if i drop all in FORWARD

[George Vieira]

[-- Attachment #1: Type: text/plain, Size: 1192 bytes --]

IPSEC usually creates a device called ipsec0.
Your rules specifically says "-i eth0 -o eth1" and doesn't say anything about ipsec0 etc.etc..
Once your tunnel comes up, the routes for the other network reroute via ipsec0 device and bypasses your forward rule.
 
-----Original Message-----
From: Calvin [mailto:calvinproject@ihug.com.au]
Sent: Sunday, June 08, 2003 4:07 PM
To: netfilter-devel-request@lists.netfilter.org; netfilter@lists.netfilter.org
Subject: why packet get through the netfilter even if i drop all in FORWARD


Dear all,
 
I got a funny problem here and got no idea why it happen.
my simple network is
A
 |(eth0)
GWa
||(eth1)
||
||(eth1)
GWb
|(eth0)
 
I running netfilter with freeswan, I add a rule in FORWARD chain to drop all packets forward from
internal iface(eth0) to public iface(eth1).
    iptables - A FORWARD -i eth0 -i eth1 -j DROP
 
it works fine when , when i try to ping GWb's eth0 from machine A, it get blocked.
 
however once I start up the IPSEC, I do the ping again and A can ping GWb's eth0. The rule in FORWARD chain is still there.
 
Why does this happen? Is that anyway I can fix this?
 
Thanks very much
Calvin
 

[-- Attachment #2: Type: text/html, Size: 3109 bytes --]