The concept in iptables is different than in chains. Everithing which is just passing by your server goes through FORWARD and not through INPUT or OUTPUT. Try:
iptables -A FORWARD -i eth2 -o eth1 -j DROP
Tomaz
Roger wrote:
> Or that should be no-routing question. > > I have a linux box I would like to use as a router. 4 nics. > eth0-outbound eth1-office x.x.5.x eth2-public-access x.x.10.x > eth3-wireless x.x.15.x It's working to route traffic between > interfaces okay. all interfaces are rfc1918 address. If the dsl > router won't do nat, the router will be set to do nat. DSL isn't > installed yet. > > What I want is for eth2 devices to *not* be able to connect to eth1 > devices. I tried rules similar to: iptables -A INPUT -i eth1 -s > x.x.10.x/24 -j DROP iptables -A OUTPUT -o eth2 -d x.x.5.x/24 -j > DROP but when on a 10.x host, I could still connect to 5.x > addresses. > > any ideas? > > I figured if I could solve the eth1/eth2 problem, the same solution > would work for eth1/eth3 > > Roger > >
