hi all,

my friend and i are planning to build a linux as our router to our home lan, basically the router will have two network interface card, eth0 connected to our internal lan hub, and the other interface (eth1)connected to our modem and straight to the internet.

so, we have installed slackware to the box, enable /proc/sys/net/ipv4/ip_forward=1, then add iptables rules like this:

iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE

so, right now our pc in the internal lan can access the internet.
but the problem come when i try to play with the iptables rules, i wanted to allow selected pc to be able to access the internet, first of all, i blocked all pc from accessing the internet like this:

iptables -A FORWARD -p all -j DROP

and all the user cannot access the internet, so it means that the rule is working, then, i put the rule like below to allow certain pc to access the internet:

iptables -A FORWARD -s 192.168.0.10 -j ACCEPT
iptables -A FORWARD -s 192.168.0.11 -j ACCEPT

but, unfortunately, the selected pc still cannot access the internet. What happened?? can you guys help me...


thanks in advance..

iptables rules are evaluated in order.

The rule:

will match all packets pending forwarding... thus, all packets being forwarded will be dropped before the other two rules are ever reached:


Simply place that first rule last. Or, even better, just do:
Which will set the policy for the FORWARD chain to drop. When all rules within the FORWARD chain fail to match, iptables will drop the packet by default.

is iptables differ from pf??

because, from what i know, in pf, the last rule will overwrite the first rule, for example, we have to drop all packet first, then accept/allow packet base on our rules....

correct me if i'm wrong..

Your post is the first I have heard of pf, but based on your description, yes, iptables is different.

iptables rules are evaluated in order. The first rule that matches causes iptables to jump to its target (specified with -j) and, depending on the target, iptables will either: stop evaluating (this happens with terminating targets such as DROP) or continue with the next rule (this happens with non-terminating targets). It is also possible to jump to a user-defined chain (where, of course, evaluation of those rules will continue). If all the rules within a chain are evaluated and the end is reached without any rule matching, than iptables defaults to the specified policy for that chain.

Behavior similar to that which you have experienced in pf could be accomplished simply through omitting your first rule, and instead setting the policy of the FORWARD chain to DROP.

See man iptables for more information.