Source field doesn't matter since traffic destined for the internal (private) network will only pass through that chain if you define DNAT rules for them. The port 80 rule seems ok, but trusting something like that where a user can change their IP's or use different port numbers, it is pretty light security for anyone who knows what they are doing. -----Original Message----- From: Payal Rathod [mailto:payal-iptables@xxxxxxxxxxxx] Sent: Wednesday, August 13, 2003 11:25 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: please advise on this rule Hi, Does this FORWARD chain look ok in a simple NAT network where the Linux box is connected to the net. Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED REJECT tcp -- 192.168.10.1 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable Is source 0/0 OK? Should be be 192.168.10.0/24 ? Will the third rule block outgoing connection from 192.168.10.1 to any server at port 80? Thanks a lot and eagerly waiting for the reply. With warm regards, -Payal -- "Visit GNU/Linux Success Stories" http://payal.staticky.com Guest-Book Section Updated.
