<p>Hi</p> <p>Hi,</p> <p>at the end, how is your /etc/iptables.rules look like? If i am not in mistake... ..you are doing nat &amp; ip forwarding, but you are dropping all forwarding packets. Also, whole your firewall is oriented only for INPUT. It's not good way to drop ICMP type 8 packets (ping), especially for routers. Here is some notes, from the way I saw how it's done (copy from configuration file - i'am using fedora):</p> <blockquote> <p>-A INPUT -p icmp --icmp-type 0 -j ACCEPT<br /> -A INPUT -p icmp --icmp-type 3 -j ACCEPT<br /> -A INPUT -p icmp --icmp-type 11 -j ACCEPT<br /> -A INPUT -p icmp --icmp-type 8 -m limit --limit 10/second -j ACCEPT<br /> -A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable<br /> -A INPUT -p icmp -j DROP</p> </blockquote> <p>It's good to accept everything ESTABLISHED and RELATED, so after that rule, everything else should be with state NEW, right? So it doesn't sense to put : -m state --state NEW.</p> <p>I saw, that you are using SSH. My suggestion is to use separate chain for that port. With that chain you can manage more precision way.:</p> <blockquote> <p>:IN_proto_SSH - [0:0] <br /> -A INPUT -p tcp --dport 22 -j IN_proto_SSH <br /> -A IN_proto_SSH -s 192.168.100.1 -j ACCEPT <br /> -A IN_proto_SSH -j REJECT_unr_PORT <br /></p> </blockquote> <p>Note, that i use separate chain for dropping. (When i drop, i want to be SURE that it's drop, no matter how ;) ). First it's good to be done friendly. If it's just DROP-ing, the sender will try AGAIN shortly. But if you reject and say "man, there is nothing there", the sender stop sending that requests:</p> <blockquote> <p>:REJECT_unr_PORT - [0:0] <br /> -A REJECT_unr_PORT -p tcp -j REJECT --reject-with tcp-reset <br /> -A REJECT_unr_PORT -p udp -j REJECT --reject-with icmp-port-unreachable <br /> -A REJECT_unr_PORT -j DROP <br /></p> </blockquote> <p>Also, you can find useful to work with '-m limit --limit 20/minute -j ACCEPT' and '-j LOG --log-level debug --log-prefix ":note: " '</p>