On Wednesday 2005-October-19 22:07, Seferovic Edvin wrote: > I have two internal interfaces ( eth1 // 172.19.0.0 & eth2 // > 172.20.0.0 ), and I would like to block traffic between those two > networks. Somehow Ive failed because any rules that should forbid > traffic between those 2 networks didn't work. I still could access > webserver on the eth2 - 172.20.10.1 from a station with IP address > 172.19.1.100 ! Then Ive applied rule in PREROUTING chain in nat Thou shalt not filter in the nat table. I knew this one ;) > Iptables -t nat -A PREROUTING -s 172.19.0.0/16 -d 172.20.0.0/16 -j > DROP I would use interfaces, not IP addresses. You mean - physdev matching? > Rules in FORWARD and INPUT chain just wouldn't work. Is this the What did you try in FORWARD? Iptables -A FORWARD -d 172.20.0.0/16 -m physdev --physdev-in eth1 -j DROP This rule works now.. I must had an ESTABLISHED connection in my conntrack table since this rule didn't work first time I tried it. Now Ive restarted my gateway and applied this rule and now I cannot access the 172.20.0.0 net. Any suggestions? Thank you in advance. Regards, Edvin Seferovic
