You do not need two cards to do firewalling. You could have done it with one card, if Windows boxes are on a private subnet like 10.0.0.* or whatever. Here's how I do it with one card. ###################################################################### Home firewall $IPTABLES -F $IPTABLES --delete-chain $IPTABLES --table net --flush $IPTABLES --table nat --delete-chain # Set up IP FORWARDing and Masquerading $IPTABLES --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE # Comp 1 $IPTABLES --append FORWARD -s 10.0.0.3 -j ACCEPT # Comp 2 $IPTABLES --append FORWARD -s 10.0.0.4 -j ACCEPT On 2007-10-26, D.Campagna <ynnadrebyc@tiscalinet.it> wrote: > Hi all gurus, > I have the following configuration: > internet|---| u.s. robotics router|---|switch|---|linux box eth0| > adsl | | (192.168.1.98) | |------| |--------------| > |---------------------| | | | > | | |----------- | |------------- [win boxes] > |--------------- > > Linux is acting as web and SMB server, all works fine and I can connect > the Internet from any of the win machines and the Linux box. > Now in order to have some packet filtering and firewalling made by the > Linux box I want to change to: > > internet|---| u.s. robotics router|---|eth1 of linux box | > adsl | | (192.168.1.98) | |------------------| > |---------------------| | > |------------------| > |eth0 of linux box | > |------------------| > | |------| > |switch| > |------| > | | |----------- | |------------- [win boxes] > |--------------- > > I tried the above but from the win boxes I cannot ping the router. > IP Forwarding is ON. I issued: > route add 192.168.0.98 eth1 (the router) > route add default gw 192.168.0.98 eth1 > The result is, the Linux box connects to the Internet and I can > navigate, but still from the win boxes I cannot ping the router, nor > access the Internet. > > Before posting all my experiments with iptables, SNAT, MASQUERADING et > al. I would understand why the packets from the router are not > propagated back to the win boxes, while I'm quite sure they reach the > router. The router is doing his NAT, provided the first configuration > works fine. Is perhaps this the problem? I ask this because trying to > replicate the situation I put in place of the router another Linux box > with a bogus 'external' address and with the command: > iptbles -t nat -A POSTROUTING -j SNAT --to-source 192.168.0.97 -o eth1 > or > iptbles -t nat -A POSTROUTING -j MASQUERADE -o eth1 > the win machines (setting the correct gateway 192.168.0.97) were able to > navigate the bogus 172.168.0.44 of the 2nd Linux box. > I achieved the same result not issuing any iptables command but just > instructing the 2nd Linux box about the route to the first: > route add 192.168.0.0 netmask 255.255.255.0 eth0 > So It seems the NATed packets from the router cannot reach the win > boxes. How do I can solve the problem? > I am sorry for the stupid question but I am not an expert of IP and > would greatly appreciate any hints. > Best regards > D. Campagna