Greetings using Suse 7.1 kernel 2.4.0 iptables 1.2.4 with 2 nics eth0 192.168.4.2 pointing to my ADSL Router eth1 192.168.5.1 pointing to the LAN i inserted some rules and got surprising rezolts, doing iptables -L shows me ANY to ANY tcp ACCEPT ! i didn't put this rule. incoming connection will stop at first rule on the list right? so is this rule here to enable any connection at all and then eliminating what i'm blocking? my ADSL router is doing the NAT from 192.117.x.1 to 192.168.4.1, i have no problem getting out of the firewall but I'm nut sure about getting into the firewall or LAN behind it. 192.117.x.1 is the router address so how can I open ports on/through the firewall? I guess I will have to disable routing on the router and do it on the firewall, right? thanks and happy year here is the rules and output iptables -L: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW LOG all -f anywhere anywhere LOG level warning prefix `IPTABLES FRAGMENTS: ' DROP all -f anywhere anywhere ACCEPT udp -- 212.179.27.100 anywhere udp spt:domain state ESTABLISHED ACCEPT udp -- 216.34.120.171 anywhere udp spt:domain state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere 212.179.27.100 udp dpt:domain state NEW,ESTABLISHED ACCEPT udp -- anywhere 216.34.120.171 udp dpt:domain state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ftp state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:smtp state NEW,ESTABLISHED rules: =============================== ## LOOPBACK # Allow unlimited traffic on the loopback interface. iptables -A INPUT -i lo -j ACCEPT ## Make sure NEW tcp connections are SYN packets iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP ## FRAGMENTS # Log fragments just to see if we get any, and deny them too. iptables -A INPUT -i eth0 -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " iptables -A INPUT -i eth0 -f -j DROP ## DNS # Allow UDP packets in for DNS client from nameservers. iptables -A INPUT -i eth0 -p udp -s $NAMESERVER_1 --sport 53 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp -s $NAMESERVER_2 --sport 53 -m state --state ESTABLISHED -j ACCEPT # Allow UDP packets to DNS servers from client. iptables -A OUTPUT -o eth1 -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT ## WWW # Allow www outbound to 80. iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT #FTP iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT #smtp #iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT