# Upgrade from linux-3.0.76 to 3.2.63 changes iptables logic

## alex6z

I have a local interface, eth2 which is connected to the Internet. I have a tunnel called tunY which generates GRE packets that go out eth2.

I have an iptables rule that prevents certain UID ranges from sending packets out eth2 to the local network. But these UIDs can use tunY to get Internet access.

The problem is that after upgrading to 3.2.63, the iptables rule is now matching on packets generated by tunY that were sent out by those restricted UIDs.

Here are some rules:

Chain OUTPUT (policy ACCEPT 1445M packets, 629G bytes)

 pkts bytes target     prot opt in     out     source               destination 

    2   120 REJECT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            owner UID match 1001-65535 reject-with icmp-port-unreachable

    0     0 REJECT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            owner UID match 1001-65535 reject-with icmp-port-unreachable

 9842  853K REJECT     all  --  *      eth2    0.0.0.0/0            0.0.0.0/0            owner UID match 1001-65535 reject-with icmp-port-unreachable

That last one will match packets from a matching UID going out of tunY when the kernel is 3.2.63.

Is this a bug or normal behavior?

Maybe I could do a -j ACCEPT rule on tunY to make it not match anymore?=.

----------

## Ant P.

You have the right idea at the end there, though whitelisting would be a bit more secure than blacklisting, e.g.:

```
-N tunnelonly

-A OUTPUT -m owner --uid-owner 1001-65535 -j tunnelonly

-A tunnelonly -o lo -j RETURN

-A tunnelonly -o tunY -j RETURN

-A tunnelonly -j REJECT
```

That way, you don't have to worry if new ethX devices show up or the current ones get renamed.

----------

## alex6z

Thanks for you help.

Actually this didn't fix the problem of the packets going through the firewall twice, where the second time they get scanned is after being generated as GRE packets with the UID/GID values still attached to them somehow. So I just added this rule to make sure they get through:

iptables -I tunnelonly 1 -p gre -j RETURN

----------

