Next :) >You could always try that very same diagnosing ipchains rule in your >forward chain, i.e. "ipchains -A forward -j DENY -l". Then you'll see >that the de-masqueraded packet is denied passing through the forward >chain. (At least that's my guess....) I did. I understand the deny chain now - it was my mistake. In the forward chain, I added the deny chain: ipchains -A input -i eth2 -j DENY -l But no packets arrive there. I write it down, the short version: Chain input (policy ACCEPT): target prot opt source destination ports - icmp ------ 192.168.0.0/24 anywhere any -> any Chain forward (policy ACCEPT): target prot opt source destination ports MASQ all ------ 192.168.0.0/24 anywhere n/a DENY all ----l- anywhere anywhere n/a Chain output (policy ACCEPT): So the default policy is accept. With a ping of 4 tries, the forward - MASQ chain added 4 pakets and the icmp mark chain added also 4 packets. But no one in the DENY chain. The same with the deny chain in the input chain: ipchains -A forward -j DENY -l Chain input (policy ACCEPT): target prot opt source destination ports - icmp ------ 192.168.0.0/24 anywhere any -> any DENY all ----l- anywhere anywhere n/a Chain forward (policy ACCEPT): target prot opt source destination ports MASQ all ------ 192.168.0.0/24 anywhere n/a Chain output (policy ACCEPT): There with the same ping, 4 packets added in the MASQ, in the icmp _and_ in the input deny chain. Hmm, if I don't make anything wrong, the packets get lost after the input and before the forward chain. What do you think? Now it is time to go to bed, its 11:30pm here. I am at home tomorrow at 5pm CET (hope so) and will try again - so long to it works, the next day is free for me, so I have the whole night tomorrow. Marco _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/