> Reverse nat for replying packets is automatic, therefore replies get > destination natted when they come back in.
This scares me. So you are saying that there are "implicit" NAT rules for "replying packets" that are immune to iptables DROP rules?! If a packet is part of an ESTABLISHED tcp connection then it can by pass an "SSH only" firewall?!?? I *didn't* allow /any/ ESTABLISHED connections on FORWARD chain?!?!? How is iptables behaving as though I did!?!?!? This is default hardcoded behavior for iptables?!?!? Chris -- _______________________________________ Dr. Christian Seberino SPAWAR Systems Center San Diego Code 2363 53560 Hull Street San Diego, CA 92152-5001 U.S.A. Phone: (619) 553-7940 Fax: (619) 553-2836 Email: [EMAIL PROTECTED] _______________________________________
