Ahaa!! Crossfire was right. Packets do not pass through the INPUT chain first and then the FORWARD chain like they do in IPCHAINS. I have allowed the internet network on the internal device and dropped practically everything else and it now logs and drops properly. Thanks for that information. I also had found a site which graphed a block diagram of how the rules work but accidently closed the page.
If people want it, I'll try and find that site again and post it. thanks, George Vieira Systems Manager Citadel Computer Systems P/L -----Original Message----- From: Crossfire [mailto:[EMAIL PROTECTED]] Sent: Thursday, 3 January 2002 10:27 AM To: George Vieira Cc: Sydney Linux Users Group (E-mail) Subject: Re: [SLUG] IPTABLES and confusing messages George Vieira was once rumoured to have said: > hey all, > > I thought I was starting to get an understaning of iptables when I stumbled > on this problem. > [snip] > The other thing weird is that my rules aren't DROPPING non allowed packets > and yet my rules appear quite strict.. I usually ACCEPT on the OUTPUT and > FORWARD (-P) rules.. I explicitly specify as much rule matching as possible > to eliminate the possiblility of accidently accepting when it shouldn't ie. > "-A INPUT -i eth1 -d 203.x.x.x" ouch.. Anything I want passed through I make > the rules as explicit as possible. It sounds like you're being snared by the fact that forwarded packets do not pass through the INPUT ruleset in iptables, which is different behaviour to ipchains. C. -- --==============================================-- Crossfire | This email was brought to you [EMAIL PROTECTED] | on 100% Recycled Electrons --==============================================-- -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
