> no luck: > > I think it's always better to first allow, and drop in the end, no? > > iptables -t filter -A FORWARD -p tcp --dport 22 -j ACCEPT > iptables -t filter -A FORWARD -m state --state NEW -p tcp --dport 22 -j > ACCEPT > or > iptables -t filter -A FORWARD -o eth1 -m state --state NEW -p tcp --dport > 22 -j ACCEPT > iptables -t filter -A FORWARD -j DROP > You are always advised to make the default rule (Ie policy) drop with any firewall then only explicitly allow traffic you wish allow: (I am assuming here you want to allow connections *to* port 22 on the external network from your internal network, for my example the internal network has an ip address of 192.168.0.0/24) iptables -t filter -F FORWARD # Clear out what exists already iptables -t filter -P FORWARD -j drop # Set default to drop iptables -t filter -A FORWARD -s 192.168.0.0/24 -d ! 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT -- Richard Horton Users are like a virus: Each causing a thousand tiny crises until the host finally dies. http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats http://www.pbase.com/arimus - My online photogallery -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
