\_ [root@arrakis dsaxena]# ipchains -L
\_ Chain input (policy ACCEPT):
\_ target     prot opt     source                destination           ports
\_ DENY       tcp  ------  anywhere             anywhere              any ->
\_ 0:1024
\_ ACCEPT     tcp  ------  anywhere             dyn-dsl1-148-phx.bazillion.com
\_ any ->   smtp
\_ ACCEPT     tcp  ------  anywhere             dyn-dsl1-148-phx.bazillion.com
\_ any ->   nameserver
\_ ACCEPT     tcp  ------  anywhere             dyn-dsl1-148-phx.bazillion.com
\_ any ->   www
\_ Chain forward (policy ACCEPT):
\_ target     prot opt     source                destination           ports
\_ MASQ       all  ------  anywhere             192.168.0.0/24        n/a
\_ MASQ       all  ------  192.168.0.0/24       anywhere              n/a
\_ Chain output (policy ACCEPT):

Is it just me, or should that DENY rule come *after* you tell it what
you want to accept?  Either that or set global system INPUT policy to
DENY.   If you feed ipchains -nvL, you'll get a long listing including
some amusing things like packet counts matched by the rule, IIRC.

David