> I can ssh though the firewall and I a can block if I want to > but I just can > figure out how to ssh to the firewall Well you could add the rules used for the FORWARD chain and put them in the INPUT chain! iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT or similar, oh and check that sshd is running of course!