> I tried it. I had everything open. Then I blocked everything. Then I set > up a rule to allow SSH in to eth0 and out eth1 (and the other way). At > least I thought that was what the rules said, but no SSH connectivity > through the firewall. That was when I realized that I had not found the > necessary incantation, and I had already shot most of tuesday. > Too bad you missed the documentation on netfilter then. It would have told you that the INPUT chain controls what comes to the box, the OUTPUT chain what originates from the box and the FORWARD chain what goes through the box. You would have needed a rule in FORWARD to allow ssh connections through the box. The rules in the INPUT and OUTPUT chains would have zero effect on connections going through. Anyways, you have something now but in case you want to give iptables another go...