I can't seem to figure out what I am doing wrong with my IPTABLES rules. I have 2 nics on this machine. I wanted to trust everything from eth0 and deny everything but port 80 on external nic. # iptables -F # iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j REJECT - I want to reject spoofed addresses pretending to be my internal nic # iptables -A INPUT -i lo -j ACCEPT - accept everything on the loopback # iptables -A INPUT -i eth0 -j ACCEPT - except everything on the internal nic # iptables -A INPUT -p tcp --dport www -j ACCEPT - is limiting this to the eth1 needed? # iptables -A INPUT -j LOG -m limit # iptables -A INPUT -j REJECT # service iptables save I restart iptables but then I am unable to ssh into eth0. Any ideas what is wrong in my config?

FYI you can protect yourself against IP sppofing with: # echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

Thanks - I didn't mention that but I already set that. Thanks

You can probably leave out the "iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j REJECT - I" Why have the -I (I take it the "- I" is a typo for "-I") without a chain name when the rule is the first to be set? It looks as though eth1 will reject everything coming from 192.168.1.0/24 even if its eth0. If you want to use that rule you might want to add a destination pointing at you local lan...