I replied to Matthew off-list on this one. Note the last two lines. "It works" because he sets a default ACCEPT policy and then flushes the previous rules. You are right about the syntax on the first two lines, but iptables is smart enough to correct it and implements 209.210.10.0/28. C On Tue, 2003-12-23 at 10:42, Antony Stone wrote: > On Tuesday 23 December 2003 3:32 pm, Matthew Simpson wrote: > > > I must have been doing something stupid last night, because I retried it > > this morning and it works. Here is what I have for the forward chain: > > > > $IPTABLES -A FORWARD -d 209.210.10.1/28 -j ACCEPT > > $IPTABLES -A FORWARD -d ! 209.210.10.1/28 -j DROP > > $IPTABLES -P FORWARD ACCEPT > > $IPTABLES -F FORWARD > > > > This works. > > When you say "this works", is assume that's only for minimal values of > "working" :) > > I can't believe that a router which will drop all packets except those > addressed to 209.210.10.0/28 (note that your address designation is slightly > incorrect above) will do an effective job. > > You may want to route inbound packets only to these IP addresses, but what > about the replies? They are going to be going to other destination > addresses, and need routing too..... > > Antony.
