I'm using IPSEC in a tunnel mode.
How to make an iptables rule that will match only packets which arrived via IPSEC tunnel (i.e. after IPSEC decrypted them - not the IPSEC packets when they arrive and before decryption).
The point is to have a certain port which will be accessible only via IPSEC and inaccessible to the rest of the world.
You need to use the policy module, and specify the ipsec policy, to match this traffic. The following rule, for example, allows all inbound traffic to tcp port 12345. Don't forget that rule order is important in iptables, and that you may need to allow the return-half packets as well, depending on your current OUTPUT restrictions.
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 12345 -j ACCEPT
