On Tue, 2003-09-23 at 14:22, iptables@xxxxxxxxxxxxxxxxxx wrote: > I manage a network with three diferent range of IP´s 192.168.1.0 , > 192.168.2.0 and 192.168.3.0. > > I have a router-firewall which connect theese internals networks. > > iptables rules on the router-firewall machine are... > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > $IPTABLES -A FORWARD -j LOG > $IPTABLES -A FORWARD -s 192.168.1.19 -j ACCEPT > From host 192.168.1.19 which is a window machine I ping to machine > 192.168.3.15 which is a linux machine. the result is Ok. > > If I ping from 192.168.1.19 to 192.168.3.35 which is a window machine I > can´t get a response. Is this ALL of the rules? I presume that $INTIF has three IPs, one per subnet? In that case, you'd have forwarding from $INTIF back to $INTIF, which you don't list a rule for. Your listed rules will allow 192.168.1.19 to ping anything, but if the target it on $INTIF it will not be allowed to reply. The linux machine may have a different subnet configured (like /16) - check "ip route show" for "192.168.x.x/16", and also see if there's a route that would allow 192.168.1.0/24 directly on the interface, instead of listing a "via 192.168.3.1" or something similar pointing to your router. (should probably only be three routes - "192.168.3.0/24 dev eth0", "127.0.0.0/8 dev lo", and "default via 192.168.3.1 dev eth0"...) > I can ping from router to every IP on every network with forward policy set > as DROP by default. Of course, as that traffic would all hit INPUT and OUTPUT chains for the box itself... not FORWARD. > Could you help me with the problem? Hopefully. > Thanks in advance. j
