with masq entries, do you mean "ipchains -A forward -s 192.168.100.0/24 -i eth0 -j MASQ" ? also, i would place the policies in the config first before any other rules. could you email me (privately) with the output of 'ipchains -L'? and the lines where you DENY all of the input and output chains except for the 'lo' interface should conceptually be changed to ipchains -P input REJECT ipchains -P output REJECT ipchains -A input -i lo -j ACCEPT ipchains -A output -i lo -j ACCEPT in general, the policies should express the base case and all exceptions should be rules. what i don't like about your config is that it is not very ordered, which makes administration harder. i would suggest the following format: 1) the three policies with DENY targets 2) obvious input rules such as allowing all -i lo traffic 3) input rules that you would like to direct to REJECT 4) regular input rules 5) repeat 2-4 for chain forward 6) repeat 2-4 for chain output 7) include a log line for every chain. ipchains -A input -l this way, it helps to configure your chains properly and it gives you some idea in the syslog of what requests arrive at the policy. it is best to have a rule for everything that you expect and only let the policy act when something unexpected happens. that makes attempted hack attacks easy to spot. martin madduck@madduck.net (greetings from the heart of the sun)