part of your problem then this might help. (don't remember where I got it but it was part of an ipchains script I got from somewhere) EXTDEV=eth1 EXTERNALIP=`ifconfig $EXTDEV | grep "inet addr:" | \ awk -F: {'print $2'} | cut -d\ -f 1` if [ -z "${EXTERNALIP}" ]; then exit 1 fi This will get your ip address from ifconfig and then you simply use the variables in place of manual IP's. > What is the proper way to do this? > All policies should be DENY. Of course if your not that freaky about security the the OUTPUT chain can usually be set to ACCEPT to make things easier. This is usually not a security problem. > We'll use these numbers as an example of my net config: > eth0 192.168.1.1 # The LAN obviously. > eth1 24.32.5.105 # The DHCP assigned WAN IP > I'll try my hand at a simple script that may work for you... #!/bin/sh EXTDEV=eth1 EXTIP=`ifconfig $EXTDEV | grep "inet addr:" | \ awk -F: {'print $2'} | cut -d\ -f 1` if [ -z "${EXTERNALIP}" ]; then exit 1 fi INTDEV=eth0 INTIP=192.168.1.1 ipchains -F ipchains -X ipchains -P forward DENY ipchains -P input DENY ipchains -P ouput ACCEPT (this is simpler for now) ipchains -A input -i $INTDEV -s 192.168.1.0 -d 0.0.0.0/0 -j ACCEPT # This allows input from your LAN ipchains -A forward -s 192.168.1.0 -d 0.0.0.0/0 -j MASQ # Masquerade everything going outside I'm a bit rusty w/ ipchains but I think this will work. Please correct my if I'm wrong. sim