Only after I posted my message below to comp.os.linux.networking, I realised that maybe the SuSE-linux list could be a good forum. For further explanation: I have not used firewall2 (did not know it existed for iptables). original message: I am trying to set up my mini home-network, which is a gateway with two ethernet cards, an ALcatel DSL modem to the ISP and one more linux workstation, which connects directly to the gateway via a cross ethernet cable. Everything seems ok, I think I have followed all the docs I could find (The SuSE linux server, Linux Ethernet-HOWTO, Linux IP Masq HOWTO), but I am unable to go from the Linux box thru the gateway to the external world. Both boxes are running Suse 7.2, with 2.4.9 kernel and the gateway has iptables 1.2.3 with kernel-patches applied. The NICs are 3com PCI cards, which share the same IRQ (10) and although I have been reading somewher that this may create a problem, I also believe that this is not the case for PCI cards. The workstation has netstat -rn: Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 172.16.170.0 0.0.0.0 255.255.255.0 U 40 0 0 vmnet1 0.0.0.0 192.168.1.249 0.0.0.0 UG 40 0 0 eth0 Form the workstation I can ping the gateway (192.168.1.249) and the other NIC, which is 10.0.0.1 and which is connected with the ADSL modem. And I can also ping the modem itself (10.0.0.138). On the gateway, before DSL is brought up, the netstat -rn is Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 When I connect to the isp, I get the following messages: Using interface ppp0 Connect: ppp0 <--> /dev/pts/3 local IP address 213.84.231.25 remote IP address 195.190.242.241 primary DNS address 194.109.104.104 secondary DNS address 194.109.6.66 which seems perfectly ok and now the netstat -rn gives: Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 195.190.242.241 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0 10.0.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 0.0.0.0 195.190.242.241 0.0.0.0 UG 40 0 0 ppp0 and the ifconfig tells (shortened): eth0 Link encap:Ethernet HWaddr 00:01:02:DF:D4:23 inet addr:192.168.1.249 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth1 Link encap:Ethernet HWaddr 00:01:02:DF:D4:21 inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 ppp0 Link encap:Point-to-Point Protocol inet addr:213.84.231.25 P-t-P:195.190.242.241 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 I am using iptables with the following relevant rules (from the IP Masq HOWTO): $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD INT=eth0 EXT=eth1 echo " - FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INT -o $EXT -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " - Enabling SNAT (MASQUERADE) functionality on $EXT" $IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE no problems are reported, all modules load, etc. IP forwarding is on. I can ping the local IP addres 213.84.231.25 on the gatway from the workstation, but if I try to ping the other end of the PtP (195.190.242.241), or the nameservers, or any other external IP address, it fails as: #> ping 195.190.242.241 PING 195.190.242.241 (195.190.242.241): 56 data bytes --- 195.190.242.241 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss The log messages in /var/log/messages report that the packages are coming, but what they are doing, I have no clue: Sep 17 23:52:57 stremen kernel: IN=eth0 OUT=ppp0 SRC=192.168.1.250 DST=195.190.242.241 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=37893 SEQ=0 Sep 17 23:52:58 stremen kernel: IN=eth0 OUT=ppp0 SRC=192.168.1.250 DST=195.190.242.241 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=37893 SEQ=1 Although these messages seem to indicate that the output is thru ppp0 (and not eth1), changing the output (-o) in iptables from eth1 to ppp0, has no effect whatsoever. I am at a loss and any help would be greatly appreciate. I have also no idea how to investigate the problem any further. Is there a detailed debugging option somewhere which I can turn on? Thanks, -- Charles Stroom