Thanks your reply Bryan i checked those DROP rules is on top of my FORWARD rules
may i know what i missing? Thank you very much > i using this rule to block this host > > iptables -A INPUT -s 202.96.170.189 -j DROP > iptables -A OUTPUT -d 202.96.170.189 -j DROP > iptables -A FORWARD -s 202.96.170.189 -j DROP > My nat script > iptables -A FORWARD -o $EXTERNAL_INTERFACE \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > iptables -A FORWARD -o $INTERNAL_INTERFACE \ > -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p > tcp \ > --sport $UNPRIVPORTS -d 10.0.0.2 --dport 80 \ Check the sequence of your rules. If these rules come before the DROP rules when you do the iptables -nvL, then they are accepting the packets before they make it to the DROP rule. bryan -- "A computer let's you make mistakes faster than any other invention, with the possible exception of handguns and Tequila." -- Mitch Ratcliffe
