Andy Gay wrote: > One problem I found with 2.6.16+ is if you have an iptables DROP policy > for your INPUT chain, then you'll have to add an ACCEPT rule for > protocol 4 (IP-in-IP). Nobody seems to know just why that is. It is a know problem (and it is on the TODO list) to the netfilter team.