> > You need to allow the return traffic also. This can be done with > > connection tracking and the state match. > > > > /Oskar > Forgive me, but i'm a bit confused in a gray area right now. > With the PREROUTING it wasn't needed to add that and it worked, for > this > new scenario, i tried: > > #allow all (??) > iptables -t filter -A FORWARD -j ALLOW > #allow TCP PORT 22 > iptables -t filter -A FORWARD -p tcp --dport 22 -j ACCEPT # ssh > #block everything else > iptables -t filter -A FORWARD -j DROP I think you want this: $ipt -P FORWARD DROP $ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A FORWARD -m state --state NEW -p tcp --dport 22 -j ACCEPT - You don't need to specify "-t filter". It's the default table. - All packets that are not explicitly allowed will be dropped in the FORWARD chain (policy = DROP). - Any reply packet in an established connection will be accepted using "--state RELATED,ESTABLISHED". Actually, you don't need RELATED here, but it doesn't hurt either and you do need it if you want to forward FTP and such protocols. - The first packet in a connection for port 22/tcp will be accepted. (Any subsequent packets will be accepted by the previous rule.) For more info, you might want to read (parts of) Oskar Andreasson's IPTables Tutorial at: http://iptables-tutorial.frozentux.net/iptables-tutorial.html -- Rob -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
