It seems I have found out the cause: My script is simple: It does Masquerading It allows the client to visit ONLY one Web site. So for FORWARD chain, all traffic is blocked except from/to the Web site and 2 DNS servers. These are OK with sarge (kernel 2.4) and etch (kernel 2.6) for INPUT and OUTPUT chain, only DNS traffic are allowed. This seems OK with sarge, but seems to cause problem in etch Can anyone explain it?