I wanted to ask if such a rule was possible:
iptables -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -d 192.168.10.0/24 -m state --state NEW,ESTABLISHED,RELATED -p icmp --icmp-type echo request -j ACCEPT
Yes, such a rule seems valid as in there are no syntax errors. However I think this type of rule is a bit odd to see. The fact that you are coming in and doing out the same interface does not bother me, but the fact that your source and destination are on the same subnet perplexes me. Normally this sort of operation would be reserved for a single physical LAN subnet. I have seen such traffic before, namely when I used a DNAT to redirect web traffic from a LAN back in to a proxy on the same LAN. (This was used to thwart people that tried to bypass the proxy on the LAN.) I find it a little odd that you would need ICMP traffic from the local LAN destined to the local LAN to pass through your router, but hey, I'm not saying that it would never happen. Based on your rule ICMP traffic from someone on your local LAN on eth0 with a source IP in the 192.168.10.0/24 subnet destined to your local LAN on eth0 with a destination IP in the 192.168.10.0 subnet *SHOULD* work just fin d.
Grant. . . .
