Hi,
yes you definitely have to.
There's a trick since when you, as an exemple, tunnel port http 80, your Linux box will first see an ESP packet ; then your vpn software will decrypt traffic, and the Linux box will see an incomming http packet. Best way to see what's happening is to play a bit with ethereal.
Thus, so as to allow http incomming through vpn, you need both
Code:
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -dport 80 -j ACCEPT
But the second line is quite uncool !! So here's the trick :
Code:
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -t mangle -I INPUT -p esp -j MARK --set-mark 1
iptables -I FORWARD -m mark --mark 1 -j ACCEPT