Hi netfilter users, I have a doubt/problem with this since kernel 2.2. Suppose you have a box with two interfaces, for example eth0=192.168.1.0/24 and eth1=192.168.2.0/24, and the box addresses are 192.168.1.1 and 192.168.2.1 respectively. The machine is a firewall and has ip_forward activated. If you ping 192.168.2.1 from a machine connected to eth0, say 192.168.1.5, you get an answer, which is normal because of the forwarding. Now let's block the FORWARD chain, say with iptables -P FORWARD DROP and no rules in the chain. I'd expect to not get any answers to the ping above, because the echo-request's are arriving on an interface and are destined to the other, so they should go through the FORWARD chain which is blocked. However I still get the normal echo-reply's... This means that the kernel sees the interface is local and doesn't route them through the FORWARD chain. I'd like to know if this is expected or an unwanted side-effect. For me it's annoying because I use SNAT and I don't want the internal (192.168.2.1 in this example) visible from outside. I also find it conceptually strange. Is there a way to avoid this without filtering these packets at the INPUT chain?
