Last night I started plugging servers into one of my VLANs (DMZ1) and can't seem to create a rule that allows them to access the Internet.  Here are the lines I've added to firewall.user:

## allow DMZ1 to access internet
iptables -A FORWARD -i $DMZ1 -o $DMZ1 -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $DMZ1 -o $WAN -j ACCEPT
#[ -z "$WAN2" ] || iptables -A FORWARD -i $DMZ1 -o $WAN2 -j ACCEPT

Seems pretty straightforward, but no worky.  What did I miss?

BTW - Port forwarding TO servers on DMZ1 from the Internet works fine.  I just can't browse from those same servers.  Suggestions?

Did you also add a MASQUERADE rule for DMZ1?  By default, only the LAN gets NAT'ed-

if [ $NAT_LAN -ne 0 ]
then
    [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE

Hope this helps,
Charlie

Thanks for the reply, Charlie.

I tried adding the MASQUERADE line to firewall.user and it still won't pass packets.

My configuration is posted in this thread.  Do you see anything about the way I've set things up in /etc/init.d/firewall that is making this hard?

Ok.  Got it working:

    # inside firewall.user
    # DMZ1 allow
    iptables -A FORWARD -i $DMZ1 -o $DMZ1 -j ACCEPT
    [ -z "$WAN" ] || iptables -A FORWARD -i $DMZ1 -o $WAN -j ACCEPT

The problem was in how I was testing, not in what my configuration was...

I had a window open that was pinging yahoo continuously with the expectation that when the router started passing packets, yahoo would start responding to my pings.  To my surprise, even though the continuous pinging method didn't work, if I stopped it and restarted (provided I had my config right), it worked!

If someone has had a similar problem and can explain what went on here, it would be great.