On Mon, July 3, 2006 14:01, Wennie V. Lagmay wrote: > Thanks you very much Rob, I will take note that It is better to use -A > rather than -I on this situation, however I have a follow up question.what is > the difference between implemeting these rules on FOWRARD chain, rather than > POSTROUTING and is it important to put DROP after the rules? If we're only talking about LOG rules then just use the FORWARD chain with "-m state --state NEW". I don't think that, in this case, it differs much because the only thing you want to do is to log and the information would be the same (I didn't try, but of course you are free to do so). You say you only want to log what source IP is connected to which destination IP, not that you also want to DROP it. So, you don't want to use the DROP target as those packets would get DROPped and a connection cannot be made. AFAIK you cannot see what public IP it used, but if you used SNAT and/or have only 1 public IP, you already know that. The log output I showed is an example only and is recorded in the INPUT chain just before the packets are dropped: it has nothing to do with your situation. You can find more information in Oskars iptables tutorial. I posted the link in a previous post. Gr, Rob
