Iptables troubles

    Hello everybody !

    I have some issues with using iptables.

    I currently have two separated vlans on my router. They're working as intended. I want to be able to let only one PC of a vlan to communicate with the other subnetwork.

    I added this command to the firewall script but it doesn't seem to work.
    iptables -I FORWARD -s -o vlan1 -j ACCEPT;

    Here are my vlan configs :


    Here is my full firewall script :

    iptables -I INPUT -i vlan3 -j ACCEPT;
    iptables -I FORWARD -i vlan3 -o vlan2 -m state --state NEW -j ACCEPT;
    iptables -I FORWARD -s -o vlan1 -j ACCEPT;
    iptables -I FORWARD -i vlan3 -o br0 -j DROP;

    Any ideas ?
    Remember, unless numbered, the first inserted are the last evaluated. And given the FORWARD rules contain a DROP, that means the DROP between vlan3 and br0 will always be evaluated before any exceptions. It’s also unsafe to not include the network interface on your exceptions, otherwise someone could statically assign themselves an IP address that matches the other network. You probably want something more like this instead:

    iptables -I INPUT -i vlan3 -j ACCEPT
    iptables -I FORWARD 1 -i vlan3 -o vlan2 -m state --state NEW -j ACCEPT
    iptables -I FORWARD 2 -i vlan3 -s -o vlan1 -j ACCEPT
    iptables -I FORWARD 3 -i vlan3 -o br0 -j DROP
