Hi there I am trying to filter certain areas on a small LAN from seeing each other. I have 3 interfaces: Eth0: Connected to a dsl modem to the Internet (live address) Eth1: 192.168.0.1/24 Eth2: 172.16.0.1/16 I basically want to restrict Eth2 from doing very much at all (not accessing the net or 192.168.0.0/24). The problem is that it's been fine to set up the filters to stop access to all of the destinations *except* the address that is assigned to the actual interface of the linux box. E.g.: A host on 172.16.0.0/16 can no long ping any host on 192.168.0.0/24 except for 192.168.0.1 which is assigned to eth1. Likewise for the Internet side: 172.16.0.0/16 cannot get out on the net (even with nat), but it can get to the live address assigned to interface eth0. Have been playing around with various ways of filtering, but cant stop this. Any ideas on blocking this behavious? TIA

iptables -A INPUT -s 172.16.0.0/16 -d ! 172.16.0.0/16 -j DROP iptables -A FORWARD -s 172.16.0.0 -d ! 172.16.0.0/16 -j DROP iptables -A OUTPUT -s 172.16.0.0/16 \ -d ! 172.16.0.0/16 -j DROP Hope you get the idea. MMD

Thanks, but it doesnt solve my problem. I understand your rules (basically anything with a source of 172.16.0.0/16 and a destination of anything *other* than 172.16.0.0/16 gets dropped) but if Im on a host on 172.16.0.0/16, I can still ping the eth1 interface address of 192.168.0.1 (even though I cant ping anything on the rest of that network). It seems like these rules do not apply to the actual interface address of the router (linux box) Any other thoughts on this? Matt

Matt, I would assign an implicit deny for that address then. That is strange however. It makes me think that I would like to have you insert this rule and tell me what happens. If this works you may just need to reorder your rulesets. The order of the rules is very important. iptables -I INPUT -s 172.16.0.0/16 -d 192.168.0.1 -j DROP

junky_toof Sorry, it does work, the INPUT chain is what I needed. Thanks Matt