Hi, I've configured a 2-nics gateway (one internal nic and an external usb nic hooked to the adsl modem).  I configured iptables as I'm used to do: ++++++ iptables-restore < /etc/iptables/empty.rules iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW ! -i ppp0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT /etc/rc.d/iptables save /etc/rc.d/iptables restart ++++++ Notice that I have IP forwarding enabled through: ++++++ % 'grep' forward /etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 ++++++ And also through: ++++++ % 'grep' FORWARD /etc/conf.d/iptables IPTABLES_FORWARD=1 ++++++ But I can confirm by: +++++++ % cat /proc/sys/net/ipv4/ip_forward 1 +++++++ This is based upon: http://www.debian-administration.org/articles/23 And it's working on a debian box. I remember some time back it also worked on a arch box, only thing I was not using pppd directly but wvdial instead... OK, on machines at the internal side of my LAN, I can ping everywhere. But I can not use the browser with all addresses, for example I can't get to www.archlinux.org through frirefox or midori, neither www.debian.org. Weird thing www.google.com, and some other sites can be reached through firefox on machines inside the LAN. When I try accessing those sites on the gateway (not the machines inside the LAN) of course I have no problem.  I checked /etc/resolv.con, and it's OK, besides ping has clear access everywhere. I have no clue what's going on.  I noticed the following under /var/log/messages.log: +++++++ Jul  9 23:32:33 mini-0 pppd[1974]: Plugin rp-pppoe.so loaded. Jul  9 23:32:33 mini-0 pppd[1974]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.5 Jul  9 23:32:34 mini-0 kernel: NET: Registered protocol family 10 Jul  9 23:32:34 mini-0 pppd[1974]: pppd 2.4.5 started by root, uid 0 Jul  9 23:32:34 mini-0 pppd[1974]: PPP session is 45128 Jul  9 23:32:34 mini-0 pppd[1974]: Connected to 00:12:7f:33:eb:3c via interface eth1 Jul  9 23:32:34 mini-0 pppd[1974]: Using interface ppp0 Jul  9 23:32:34 mini-0 pppd[1974]: Connect: ppp0 <--> eth1 Jul  9 23:32:34 mini-0 pppd[1974]: PAP authentication succeeded Jul  9 23:32:34 mini-0 pppd[1974]: peer from calling number 00:12:7F:33:EB:3C authorized Jul  9 23:32:34 mini-0 pppd[1974]: kernel does not support PPP filtering Jul  9 23:32:34 mini-0 pppd[1974]: local  IP address 201.200.139.27 Jul  9 23:32:34 mini-0 pppd[1974]: remote IP address 200.91.104.9 Jul  9 23:32:34 mini-0 pppd[1974]: primary   DNS address 200.91.75.6 Jul  9 23:32:34 mini-0 pppd[1974]: secondary DNS address 200.91.75.5 Jul  9 23:32:35 mini-0 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team Jul  9 23:32:35 mini-0 kernel: nf_conntrack version 0.5.0 (7628 buckets, 30512 max) +++++++ It sounded curious that kernel does not support PPP filtering, but I'm almost certain that's not the issue, given that on the gateway (not the forwarded internal LAN), I can access all pages through firefox... Any help you can provide is very welcome... It might be the iptables is not working well. I missed to indicate this is running on a lemote mini-pc (archloong on mipsel), which of course has no official support, but I wanted to see first if I'm missing any configuration particular to arch (as I said this worked before also on a x86 arch box, but things change), so just in case perhaps someone identified the miss... Thanks, -- Javier.