GRE match/accept problem (well documented :)

Harald Welte laforge@gnumonks.org
Mon, 4 Mar 2002 09:12:54 +0100 

On Mon, Mar 04, 2002 at 02:00:36AM -0500, Peter Rabbitson wrote:

> =====================
> 
> Chain INPUT (policy ACCEPT 20 packets, 1680 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>    20  2160 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
>     0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          LOG flags 4 level 6 prefix `INPUT: '
> 
> Tunnel works
> 
> =====================
> 
> Chain INPUT (policy DROP 20 packets, 1680 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>    20  2160 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
>     0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          LOG flags 4 level 6 prefix `INPUT: '
> 
> Tunnel DOESN'T work (regardles of the fact that first rule matches according
> to the counter)

Where is this configuration different from the configuration above?  Either
I am blind or there is no difference.
> 
> =====================
> 
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>    20  2160 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
>    20  1680 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW,RELATED,ESTABLISHED
>     0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          LOG flags 4 level 6 prefix `INPUT: '
> 
> Tunnel works

This shouldn't make any difference from the ruleset above, as you can see the
ACCEPT -p 47 rule matches the same number of packets.

However, a number of other packets are now accepted, which were dropped by
the default policy in the example #2.

So from my point of view you are running something which uses a tcp or udp
control session, but a GRE data session.  And you are dropping the control
channel since you don't explicitly accept it.

What kind of GRE protocol are you talking about?

> Peter

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ 
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)