That is why I'm not sure if I need ICMP supported on it or not, and not sure where do add the ICMP support (input, output, forward).
You need it in FORWARD, that's obvious. You also need it in OUTPUT because ICMP packets can be generated on your forwarding machine too. For example, if it fails to pass the packet to the next hop, it will generate "no route to host/network" message back to originating host (this ICMP packet will have source address of forwarding machine, so it goes to OUTPUT chain). More examples of ICMP packets generated on your forwarding machine (as result of receiving a packet that should be forwarded) would be traceroute (which works by exploiting TTL exceeded) and path MTU discovery (which works by exploiting don't fragment bit).
Note that removing match for RELATED from INPUT chain does not gain you much (other than one line less in rules). If your machine only forwards packets, no ICMP that ends up in INPUT chain will ever be in RELATED state (it will be in either NEW or INVALID states).
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
