I just now setup a router for some small home lan, and was suprised that going the easy way with REJECT_ALL_INCOMING_CONNECTIONS="ippp0 masq" did NOT work. as it turned out the outgoing packages where masq'ed, but the reponding ones did not get through the FORWARD chain: iptables -L -nv # [edited to make the lines fit] Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 TCPMSS tcp -- * * 0/0 0/0 [options] 0 0 reject_func all -- ippp0 * 0/0 0/0 0 0 ACCEPT all -- * ippp0 0/0 0/0 I miss a rule similar to Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 TCPMSS tcp -- * * 0/0 0/0 [options] ### this one: 0 0 ACCEPT all -- ippp0 * 0/0 0/0 \ state RELATED,ESTABLISHED ### before rejecting everything comming in on DEV_EXT 0 0 reject_func all -- ippp0 * 0/0 0/0 0 0 ACCEPT all -- * ippp0 0/0 0/0 this might be by design, but then it should be stated somewhere. at least it renders the last rule above useless. looking at the code, this diff [against SuSEfirewall2-3.1-26] just after masqerading part 1 in the FW_QUICKMODE section would do the trick: ----%<---- --- /sbin/SuSEfirewall2.orig 2002-12-16 18:12:30.000000000 +0100 +++ /sbin/SuSEfirewall2 2002-12-16 18:35:16.000000000 +0100 @@ -514,8 +514,10 @@ $IPTABLES -A input_ext -j "$REJECT" # now reject everything which is entering through insecure interfaces + # unless it belongs to an established connection for i in $FW_DEV_EXT; do $IPTABLES -A INPUT -i $i -j input_ext + $IPTABLES -A FORWARD -i $i -j "$ACCEPT" -m state --state ESTABLISHED,RELATED $IPTABLES -A FORWARD -i $i -j "$REJECT" done ----%<---- Comments? Lars