Hello , Could you not turn on a logging statement before the REJECTS , then you migth see in the log what is being blocked ? -A INPUT -i $INTIF1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "FW-DROP-TCP " --log-tcp-options --log-ip-options -A INPUT -i $INTIF1 -p udp -m udp -j LOG --log-prefix "FW-DROP-UDP " --log-tcp-options --log-ip-options -A INPUT -i $INTIF1 -p icmp -j LOG --log-prefix "FW-DROP-ICMP " --log-tcp-options --log-ip-options -A OUTPUT -o $INTIF1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "FW-DROP-TCP " --log-tcp-options --log-ip-options -A OUTPUT -o $INTIF1 -p udp -m udp -j LOG --log-prefix "FW-DROP-UDP " --log-tcp-options --log-ip-options -A OUTPUT -o $INTIF1 -p icmp -j LOG --log-prefix "FW-DROP-ICMP " --log-tcp-options --log-ip-options I would also check if some outgoing trafick is blocked like return packets from "--sport 22" , since they might come from "-i INTIF1" and not "-I LO" . Might also be your SSH server needs dns / auth(ident) / icmp to work - but I guess logging will spot the trouble . Best regards André Paulsberg Senior Network Engineer Core Network Operation, Network, Nordic Operations andre.paulsberg@xxxxxxxx M +47 xxx yyyyy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
