Are you getting the connection coming back? Try $IPTABLES -A FORWARD -o $DMZ_IFACE -o $LAN_IFACE -j ACCEPT And see if it makes any difference. Forward works in both directions. We typically allow established,related to return the path that it came from. You might need to do the same. -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Greg Cope Sent: Tuesday, January 25, 2005 9:25 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Help debugging iptables firewall.... Hi Gary, Pinholes? If you mean specific IP to specific IP:PORT on specfic interfaces then yes. DB is an oracle listener (port 1521) I have these: # for ssh to db server from webserver $IPTABLES -A FORWARD -p tcp --dport 22 -i $DMZ_IFACE -s $DMZ_EDGE_IP -o $LAN_IFACE -d $TROT_IP -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 1521 -i $DMZ_IFACE -s $DMZ_EDGE_IP -o $LAN_IFACE -d $TROT_IP -j ACCEPT I added 2 of your examples one before one after, and only see: Jan 25 17:21:43 gateway kernel: Oracle 1521 [tcp] before: IN=eth1 OUT=eth2 SRC=192.168.254.3 DST=192.168.0.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=30447 DF PROTO=TCP SPT=32907 DPT=1521 WINDOW=5840 RES=0x00 SYN URGP=0 Which would imply that the rule is ok and the packets goes through - but why I am not getting a connection? Thanks, Greg
