On Wednesday 2005-October-19 23:11, Seferovic Edvin wrote:
> I would use interfaces, not IP addresses.
>
> You mean - physdev matching?
I mean -i and -o options.
> Iptables -A FORWARD -d 172.20.0.0/16 -m physdev --physdev-in eth1
> -j DROP
>
> This rule works now.. I must had an ESTABLISHED connection in my
> conntrack table since this rule didn't work first time I tried it.
That makes sense. See, you can't evaluate why something doesn't work as
expected unless you know the whole picture.
> Now Ive restarted my gateway
You can also flush all iptables rules, unload all netfilter modules,
then reload and restore. You'll start with an empty conntrack table.
(Someone will mention the new conntrack tool which will work with
2.6.14 and later.)
> and applied this rule and now I cannot access the 172.20.0.0 net.
>
> Any suggestions?
Was this not the goal? What is to suggest?
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
