Hi, On Fri, Aug 19, 2011 at 9:43 PM, Julio A. Romero <julioarr@xxxxxxxxxxxx> wrote: > When I do a ping from 192.168.2.200 to 192.168.1.1, this classifies as INPUT > and the answer as OUTPUT, or not? Yes. > In this case, what interface (eth1 or eth2) could be referring with the > options '-i' and '-o'? > > iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -i eth? -s > 192.168.2.200 -d 192.168.1.1 -j ACCEPT > > iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -o eth? -s > 192.168.1.1 -d 192.168.2.200 -j ACCEPT IIRC when selecting (matching) ICMP the further match options are implicit. That means -- I think -- that you don't need the -m icmp. Further, since by default Linux uses a weak host model, you are correctly using the INPUT chain and not the FORWARD chain, so there are some superfluous matches above. I'd rewrite those rules as iptables -A INPUT -p icmp --icmp-type echo-request -i eth2 -s 192.168.2.200 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -o eth2 -d 192.168.2.200 -j ACCEPT When building iptables rulesets from scratch I always use the LOG target, which sends to the syslog what's going on Netfilter at the point of the rule. Excellent troubleshooting hook. Also, iptables -L -v is your friend. HTH, Carlos. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
