Hi, I have the following configuration: INTERNET | Firewall (Linux box with IPTables) | Router (Linux box with IPTables) The default policy in the FORWARD chain in the Firewall is set to DROP packets. So, I have to insert a rule for every traffic I want to accept. The Router logs all traffic: iptables --append INPUT -j LOG --log-level debug --log-prefix "IPTABLES LOG INPUT " iptables --append FORWARD -j LOG --log-level debug --log-prefix "IPTABLES LOG FORWARD " iptables --append OUTPUT -j LOG --log-level debug --log-prefix "IPTABLES LOG OUTPUT " I don't have any rule in the Firewall which ACCEPT traffic to the Router. But, when I try to access the Router from INTERNET, the Router will log that packet which the Firewall should DROP!!! If I try to ping the router from INTERNET, the Router will log: Jun 23 15:01:23 Router kernel: IPTABLES FILTER DROP INPUT IN=eth0 OUT= MAC=XX SRC=A-HOST DST=Router PROTO=ICMP 8 Jun 23 15:01:23 Router kernel: IPTABLES FILTER DROP OUTPUT IN= OUT=eth0 SRC=Router DST=A-HOST PROTO=ICMP It gets even more strange if I also log the traffic which the Firewall should DROP, i.e. last rule in the FORWARD chain on the Firewall is: iptables --append -j LOG --log-level debug --log-prefix "IPTABLES DROP FORWARD " The Firewall will log: Jun 23 15:07:59 Firewall kernel: IPTABLES DROP FORWARD IN=eth3 OUT=eth0 SRC=Router DST=A-HOST PROTO=ICMP eth0 is connected to INTERNET and eth3 is connected to the Router. Shouldn't it be the other way around? The Firewall should of course DROP this packet (the default policy is to DROP packets). What could be wrong? Do I have to upgrade to the latest version of iptables and the Linux kernel? Yours sincerely, Christian Ericsson
