Jim: > The outside should be able to initiate > so the first rule looks good: > > /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP > -p tcp --sport 1024: --dport 1723 > -m state --state NEW,ESTABLISHED -j ACCEPT > > But you need to accept the return packets. > How about this for the return pattern: > > /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP > -p tcp --sport 1723 > -m state --state ESTABLISHED -j ACCEPT That is my point. Without this rule, I should see packets hitting the firewall in the log. I dont see them. I can add this rule, but I dont think the return packets are coming back correctly. > The accept in the nat postrouting can be removed. I need that as I also set the nat postrouting to drop by default. Would it help to see my entire firewall script? Thanks, Neil -- Neil Aggarwal JAMM Consulting, Inc.
