On Sun, Apr 28, 2002 at 02:42:31PM -0400, Mark Orenstein wrote: > This past week, I started testing GRE tunneling to allow our elementary schools > to access some files on a high school samba server. All the schools have cable > modem connections to the Internet (which is its only connectivity). Each > school has addresses in the 192.168.x.y range. Security/clear text is not an > issue for this need. > > We currently make good use of iptables. My question is does iptables INPUT > look at the tunneled packets twice, once with the ethx device and once with the > device created for the tunnel? If so, is there a port number associated with > GRE?
Yes. Once when it comes through the physical interface. There, netfilter would see it as an IP packet with protocol 47 (GRE). And once when the packets come out of the GRE tunnel. Here again, netfilter would see IP packets but the protocol part would be TCP/UDP/ICMP... Try these rules to see the association: $IPT -A FORWARD -i <physical-interface> -p 47 -j LOG $IPT -A FORWARD -i <gre-interface> -j LOG Ramin > Mark Orenstein > East Granby, CT School System
