I'm using IPSEC in a tunnel mode.
How to make an iptables rule that will match only packets which arrived via IPSEC tunnel (i.e. after IPSEC decrypted them - not the IPSEC packets when they arrive and before decryption).
The point is to have a certain port which will be accessible only via IPSEC and inaccessible to the rest of the world.