Hi, I'm trying to get a firewall working with iptables. My internal network uses real IP numbers, not private address ranges. I need to do this as I need to allow another network access to multiple machines, all ports, on my network at times. I am using Firestarter.. or at least started off with it and I am modifying the rules and using firestarter for a monitor. My problem is... and I was somewhat surprised by it... Enabling NAT with firestarter works ok, but, because I am using real IP numbers and have a smart router, machines on the Internet side of my firewall could still ping, etc, machines on internal side of the firewall as they have real IP addresses... which sort of makes sense as ip_forward is enabled... though I thought I would need a static route to actually forward things... not sure I'm using Redhat 8.0 .. .my older system uses Redhat 6.2 and it doesn't do this. So.. after poking around and trying to stop this, I finally seem to have found the place to stop this happening, in the PREROUTING chain, I have done a iptables -t nat -I PREROUTING -d 193.243.232.0/26 -j LOG iptables -t nat -I PREROUTING -d 193.243.232.0/26 -j DROP the first bit works... but the second bit doesn't... machines on the Internet side of the firewall can't see internal network machines, however, if you do try and ping one of them, nothing goes in the logs. I've read the NAT howto and a few other docs, but I can't see any reason why this would be, I would like to monitor this for scans and stuff. Can anyone enlighten, or point me to docs that would? And as usual, if I am doing this complete wrong, I'm certainly open to any comments on how it should be done. Thanks Bill
