GRE over IPsec -- filtering raw GRE packets?

GRE over IPsec -- filtering raw GRE packets?

[abhijit]

hi,

i have a simple GRE/IPsec config between two hosts (2.6.32 kernel,
iptables ver1.3.5). i have a GRE tunnel setup between the hosts and
have IPsec auth+encrypt the GRE traffic (only) in transport mode.

i'd like to ensure that no unecrypted GRE packets are sent (and
accepted) over the physical network. only IPsec encapsulated ones
should be. i.e. no GRE pkts should be ever seen on the physical wire
(outgoing).

my filter table chains look like this:
----------
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
  destination
1        2   328 ACCEPT     ah   --  eth0   *       0.0.0.0/0
  0.0.0.0/0
....

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
  destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0
  0.0.0.0/0           reject-with icmp-port-unreachable
...

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
  destination
1        0     0 ACCEPT     ah   --  *      eth0    0.0.0.0/0
  0.0.0.0/0
....
-----------

the above configuration, does NOT work (i thought it would ;-).

it only works when i open up protocol 47 (gre) on eth0 (both on INPUT
and OUTPUT chain). but that may cause naked GRE pkts to be sent out on
eth0 (due to some mis-configuration with IPsec or something else).

is there a way i can prevent this from happening via iptables?

and secondly, i am bit confused on the input+output path taken by GRE
packets. can someone please outline that path (w.r.t iptables). it
seems with GRE/IPsec config, the packet makes two passes over the
netdevice (as my packet counters tell me). i was expecting just one
pass (and hence my initial (above listed) config -- which did not work
:-)

thanks!
abhijit


ps: i am not subscribed to this list. please do Cc: me the replies -- thanks!