Hi, this is the situation: 192.168.1.7 linux firewall with eth0 on internet and eth1 on intranet 192.168.1.8 router for internal networks (192.168.4.0,192.168.2.0,ecc.) The firewall is the main gateway of the whole network, so packets are sent to it and redirected to the internet or the other router (192.168.1.8). I'd like to block connections to everything that is going to the router 192.168.1.8 excepts for certain machines, thus I've defined the following rules: $IPTABLES -A OUTPUT -o $INTIF -d 192.168.1.8 -s 192.168.1.30 -j ACCEPT $IPTABLES -A OUTPUT -o $INTIF -d 192.168.1.8 -s 192.168.1.37 -j ACCEPT $IPTABLES -A OUTPUT -o $INTIF -d 192.168.1.8 -s 192.168.1.64 -j ACCEPT $IPTABLES -A OUTPUT -o $INTIF -d 192.168.1.8 -s 192.168.1.3 -j ACCEPT $IPTABLES -A OUTPUT -o $INTIF -d 192.168.1.8 -s 0/0 -j DROP but it is not working, and I can connect from other machine trhu 192.168.1.8. In the OUTPUT chain packets should be already be natted, thus my doubt is that the destination address is the final one (e.g., 192.168.4.100) and not the router one. Is there a way to lock the traffic to the router using iptables? Thanks, Luca -- Luca Ferrari, fluca1978@xxxxxxxxxxx - : send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
