> Better to let things through the mangle and nat tables, and do filtering in > the filter table. There have been folks who like to drop things in the > mangle and nat tables, but setting actual DROP policies makes life very > difficult. This seems like sound advice after what I've been through. Maybe the folks in The Matrix can bend the laws of physics with relative ease, but for myself, I can barely achieve 'dude' status. I think I'll ACCEPT mangle and nat, and get some sleep tonight. :-) > There is no definition of the SOURCE that you want to drop ICMP echorequests > from. Thus this rule drops all ping echorequests. > iptables -t filter -A INPUT -p icmp -i [internet pipe device] -icmp-type \ > echo-request -j DROP > will allow your LAN users to ping the box, but prevent pings from the > internet from getting in. Oh I see. By stating specifically the internet-facing device, you make it possible for LAN clients to ping the box through the gateway NIC - eth1, while the rule blocks all the other echo requests. > Really and truely -- Oskar's tutorials are great and easy to read... and even > the sample firewalls there are decent enough to start with for a newbie. > I definitely feel more secure about working on my firewall knowing that this reference material is around. It's packed. Thanks again, Alistair. It's great to have your assistance. Mike
