Since 2.6.16 it's been necessary to add an ACCEPT rule for IPIP (protocol 4) in the INPUT chain, otherwise IPsec tunnel mode packets get dropped (if your INPUT policy is DROP).
I was wondering if that's the intended behavior. I did google around for this, I found a few reports of the same thing but no explanation. For example, Patrick discusses this in - http://lists.netfilter.org/pipermail/netfilter-devel/2006-February/023420.html but that thread seems to end inconclusively. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
