> The fact that the MAC address is correct means that the packet has surely come > from the Windows machine, and has not come through any other router (because > if it had, it would have the IP address of the Windows box and the MAC > address of the router). Yes. I'm playing a bit more with this, and after adding a "--match mac --mac-source" rule, I started seeing the packets being dropped by the input policy (which is obviously drop). Once I added the same "saving by MAC" rule, everything works fine (except my conscience). > > Tell us more about your network connections - you say you have a switch on > eth0 connected to the Windows box and nothing else; how is eth1 connected to > your Internet router? Crossover cable? Switch/hub? What? I'll explain and check cables at the same time. The linux box has two ethernet interfaces. eth0 is the internal LAN interface. 192.168.20.1, and it's connected to a 10/100 switch to which other computers go (192.168.20.5 which is the window box, for example. there's others but not important here) eth1 is the external interface, and it's is connected to my ADSL router directly. > > Also, do you have a nice simple, clean subnet arrangement - something like a > single public IP on eth1, and a private class C on eth0, nothing fancy? Yes. > > It would be good to try running tcpdump or ethereal on the netfilter machine, > so that when a log entry such as this appears, you can check the tcpdump or > ethereal log and see if it agrees that the packet really did only come in on > eth1. How reliable is ethereal? I mean, does it see packets as they come from the wire or after they have been touched by netfilter? Anyway, I've added this now to the firewall: iptables -A INPUT --match mac --mac-source 00:0c:6e:77:a9:92 -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES MAC INPUT] : ' iptables -A INPUT --match mac --mac-source 00:0c:6e:77:a9:92 -j ACCEPT So all packets that are saved by that rule are logged. I've seen some packets already: Jan 11 13:28:53 fulanito kernel: [IPTABLES MAC INPUT] : IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:6e:77:a9:92:08:00 SRC=192.168.20.5 DST=192.168.20.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=16661 PROTO=UDP SPT=137 DPT=137 LEN=58 That packet shows up in ethereal as well (everything matches). However all packets seen so far in both ethereal and the logs (4) are for broadcasts (still, is that possible? How could a packet generated by the windows box, which isn't connected to eth1, end up there?). I haven't seen anything else yet. > Not a solution to your probloem, I know, but maybe a help along the way? Anything that makes me think of trying something else is a help somehow :-) Thanks.