I've set up a Linux box to serve as a standard router/firewall. I have eth0 and eth1 working perfectly with my ISP connected to eth0 and my LAN connected to eth1 and forwarding turned on to permit routing. Both worlds ping their respective NICs perfectly.

The problem is IPTABLES doesn't seem to work right. In trying to diagnose the problem, I've fallen back to a minimal setup and discovered something totally perplexing. If I set up the following minimal firewall script, which should block everything, *ALL* packets get through:

iptables -F
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT DROP

On the other hand, this blocks everything:

iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

Can someone help me with what's going on here? I'm sure it's a simple setting that needs to be turned on/off, but I can't find anything in any of the HOWTOs that mention this. I need ip_forward in order to have the box route packets from the WAN to my LAN but it seems to be on hyperroute! I can't discriminate.

Thanks to all.

input output is for the machine ONLY, forward controls traffic to/from the LAN

http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html

What are you tring to do??

What I'm trying to do is screen a block of static, routable IP addresses behind a single gateway machine. The problem I've discovered is that the rules I set up (no SYN packets in, limited ICMP packets, etc.) all seem to work for the firewall itself, but the rest of the IP block is naked to the Internet. For instance, I can't ping the gateway at x.x.x.1, but I can ping x.x.x.100, even though *all* pings are supposed to be blocked to *all* hosts behind the gateway.

To figure out what's going on (I assumed there was a problem with my iptables rules), I flushed everything and set up what I thought would be an impenetrable fortress: deny everything coming in and going out (of the gateway). I discovered that that only works if the FORWARD policy is also set to a DROP policy. If FORWARD is set to ACCEPT, everything still gets through. Even with

iptables -F
iptables -P INPUT DROP

Perhaps my logic is off and this isn't really the in extremis firewall script I thought it was, if that's what you're telling me. But that still leaves me with my problem: Why doesn't

iptables -F
iptables -A INPUT -d ! $GATEWAY -j DENY

prevent you from pinging my hosts behind the firewall? It prevents you from pining the gateway perfectly but the hosts behind the gatewall are all still exposed! Could this be a kernel issue? This is so frustrating because what should work doesn't and what shouldn't work often does.

Thanks for your previous reply. I hope this clarifies my situation.

----quote-----
What I'm trying to do is screen a block of static, routable IP addresses

iptables -F
iptables -A INPUT -d ! $GATEWAY -j DENY
Perhaps my logic is off
---------------
The INPUT chain is only seen by packet that are going to your external ip, the lan packets would be handled by the forward chain.

Your using the wong chain try:

iptables -P FORWARD ACCEPT
iptables -A FORWARD -d ! $GATEWAY -j DENY

would be the same as:

iptables -P FORWARD DENY

open up what you need to:

iptables -A FORWARD -s x.x.x.100 -j ACCEPT
iptables -A FORWARD -d x.x.x.100 -j ACCEPT

More or less use the filtering from input chain as a guide for the forward chain. Treat it as both an input and an output chain for the lan....

Instead of writing a bunch of code..... Or if you do....
have a look at http://www.shorewall.net

That did it! You're brilliant! Wasn't sure at first why your suggestion would be the case, but now I get it: anything not destined for the Linux box serving as the gateway ITSELF gets sent to the FORWARD chain for processing. So...I set up a couple custom chains, "incoming" and "outgoing", then analyzed the source and destination of the packets hitting the FORWARD chain to route each to either "incoming" or "outgoing" and then rewrote all my INPUT chain rules as "incoming" chain rules and all my OUTPUT chain rules as "outgoing" chain rules and it works brilliantly!

Now I'm curious why in EVERYTHING I read before on iptables and firewalls NOTHING ever mentioned this little fact.

Thanks again for your help. This was truly driving me up the wall.