<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body><div>Jerome,</div><div>If you filter the input table, then the packet is still in the encapsulated state. You're looking and the tunnel addresses.</div><div><br></div><div>You can filter on the forwarding table, on the tunnel between linux and jnos. At that point, the packet has been decapsulated and the original IP is the source address.</div><div><br></div><div>Michael</div><div>N6MEF</div><div><br></div><div><br></div><div><br></div><div id="composer_signature"><div style="font-size:85%;color:#575757">Sent from my Verizon Wireless 4G LTE smartphone</div></div><div style="font-size:100%;text-align:left;color:#000000">-------- Original message --------<br>From: jerome schatten <romers@shaw.ca> <br>Date: 07/24/2015 9:06 AM (GMT-08:00) <br>To: nos-bbs <nos-bbs@tapr.org> <br>Subject: [nos-bbs] iptables and jnos question <br><br></div>Hi...<br><br>I have been trying to construct a firewall rule to filter on the 44 <br>address of an ipip encapsulated packet rather than the 'carrier <br>address'. I've tried all sorts of variations of:<br><br>iptables -A FORWARD -i tun0 -s 44.x.x.x -j DROP<br><br>at the beginning of the forward chain with no success. I'm beginning to <br>get the feeling that it is may not possible to filter on the <br>encapsulated ip.<br><br>Thanks for any suggestions,<br>jerome - ve7ass<br><br><br>_______________________________________________<br>nos-bbs mailing list<br>nos-bbs@tapr.org<br>http://www.tapr.org/mailman/listinfo/nos-bbs<br></body></html>