> What I'd like to do is something like : > $IPTABLES -A FORWARD -i $LAN_IFACE -p tcp --dport 445 --dst sql.se.rv.er -j > REJECT --reject-with tcp-reset > > My problem : > Packet seems OK (iptables change source ip and port) and is > TCP RST, but it is sent to the external interface, and my LAN > hosts do not get the reply and must wait for a timeout to occur > (since another firewall protects the SQL Server and drops TCP 445) > > Is there any way to force an interface for the REJECT rule ? > > Is there any configuration that could cause this to happen ? there is something wrong with your configuration. post the output of "iptables -vnL; iptables -vnL -t nat; iptables -vnL -t mangle" and clue us in as to which interface is inside, outside, dmz, etc... -j
