GRE match/accept problem (well documented :)

Peter Rabbitson rabbit@rabbit.online.bg
Mon, 4 Mar 2002 02:00:36 -0500 

Hi again. I wrote about this problem several days ago, the proposed solution didn't work so I decided to go deeper. What 
follows are different configurations of the INPUT chain and the final result. I don't even know if this is a 
misconfiguration or a bug cause this is pretty new to me (GRE tunneling). Any suggestions will be highly appreciated.

=====================

Chain INPUT (policy ACCEPT 20 packets, 1680 bytes)
 pkts bytes target     prot opt in     out     source               destination
   20  2160 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          LOG flags 4 level 6 prefix `INPUT: '

Tunnel works

=====================

Chain INPUT (policy DROP 20 packets, 1680 bytes)
 pkts bytes target     prot opt in     out     source               destination
   20  2160 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          LOG flags 4 level 6 prefix `INPUT: '

Tunnel DOESN'T work (regardles of the fact that first rule matches according to the counter)

=====================

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   20  2160 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
   20  1680 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW,RELATED,ESTABLISHED
    0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          LOG flags 4 level 6 prefix `INPUT: '

Tunnel works

=====================

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   20  2160 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          LOG flags 4 level 6 prefix `INPUT: '
   20  1680 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Tunnel DOESN'T work

=====================

I think this should give you an idea. Of course this is not my regular firewall, I stripped it down for testing purposes. In
general my goal is to make things work using the second configuration 
-P DROP; -p47 -j ACCEPT; -m state --state ESTABLISHED, RELATED
I am using kernel 2.4.18 (same behavior on .17) with iptable 1.2.5. All netfilter code is compiled monolitically in the  
kernel (which eliminates the possibility of a missing module or something like that). In all the examples above FORWARD and  
OUTPUT chain counters don't show any dropped packets. Also I can't really explain the byte difference in "-p 47" and "-p 
all" rules. If anyone is interested in further investigation of this problem I can supply any information like kernel 
confiurations, debug output etc (I don't want to flood the mailing list :)
Best regards
Peter