On Mon, 20 Apr 2009 13:26:01 -0600, Thomas Jacob <jacob@xxxxxxxxxxxxx> wrote: >> >> iptables -A PREROUTING -i eth0 -t mangle -m state --state ESTABLISHED,RELATED -j RESTOREMARK > > This is too restrictive, drop the -i eth0, your forwarded packets from the internet > will not arrive thru eth0 but still need a CONNMARK -> MARK restore. Thanks for your help. I tightened up the policies and added rules to pass any packets, for new connections or otherwise, to or from eth0 (the LAN), and drop NEW connection packets except those from the local machine and from LAN. : iptables -t filter -P INPUT DROP iptables -t filter -P OUTPUT ACCEPT iptables -t filter -P FORWARD DROP iptables -t mangle -A INPUT -i eth0 -j ACCEPT iptables -t mangle -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t mangle -A FORWARD -i eth0 -j ACCEPT iptables -t mangle -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT However, there is a mistake here. I am finding that I cannot access local files on the router box from a LAN connected machine (nor can I connect from the router box to Internet) unless I set the policy for INPUT to be ACCEPT. -- Lloyd -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html