> accepted. The problem > is, if I use > > iptables -A FORWARD -j DROP > or > iptables -P FORWARD DROP > > they will drop all packets including the ones I already ACCEPTed. I don't see any rule that makes the filter stateful. When it's stateful, you don't have to worry about all the returning packets. I think that will make it work. > > example (want to allow all incoming and outgoing www traffic): > iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 80 -j ACCEPT > iptables -A FORWARD -p tcp -d 192.168.1.0/24 --sport 80 -j ACCEPT Packets sent *to* a webserver will most likely not come *from* port 80/tcp. > iptables -A FORWARD -p tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT > iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 80 -j ACCEPT > iptables -A FORWARD -j DROP So, making it stateful, it would look like this : iptables -P FORWARD DROP iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -d 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT Gr, Rob
