Bear in mind that your users are connecting FROM the SERVER itself to the outside world. Technically, yes, the server _is_ a network bridge between the outside and the 172 network where your clients are. If the 172 clients can't connect to the server, then they get no thin-client goodness. So as long as the ltspbr0 is on the inside NIC eth1, this rule is fine. <div class="gmail_quote">On Wed, Feb 29, 2012 at 2:52 PM, Matthew Carter <<a href="mailto:redbranchwarrior@gmail.com">redbranchwarrior@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I'm trying to bring up my firewall on my server on only one of my two interfaces. ltspbr0 is attached to eth1 and eth0 is the external connection. In /etc/sysconfig/iptables, I added: -A INPUT -i ltspbr0 -s <a href="http://172.31.100.0/24" target="_blank">172.31.100.0/24</a> -j ACCEPT where the bridge and subsequent network is 172.31.100/24. There should be no other connections to the outside world on that side of the server. Is this a gaping security hole, ie, can my users connecting to the outside world cause a backdoor to the bridge side of the server? Thanks! _______________________________________________ K12OSN mailing list <a href="mailto:K12OSN@redhat.com">K12OSN@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/k12osn" target="_blank">https://www.redhat.com/mailman/listinfo/k12osn</a> For more info see <<a href="http://www.k12os.org" target="_blank">http://www.k12os.org</a>> </blockquote></div> -- -- James P. Kinney III As long as the general population is passive, apathetic, diverted to consumerism or hatred of the vulnerable, then the powerful can do as they please, and those who survive will be left to contemplate the outcome. - 2011 Noam Chomsky <a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a>