Bizarre iptables problem: "!" (inverse) won't work

[Hyper-Mediocrity]

UPDATE: It appears the problem is not that the inverse switch isn't working, but that the interface names are being ignored all together. Regardless of whether I specify "-i eth1" "-i eth0" "-i ! eth1", etc, iptables always acts as if i have not specified an interface at all, and so creates the rule for ALL interfaces.


Original posting:

Recently switched my internet gateway machine/NAT box over to debian, and everything is working fine except for one very strange problem with my firewall script. For some reason, iptables is not recognizing the inverse specification. For example:

iptables -A INPUT -m state --state NEW -i ! $EXTIF -j ACCEPT

this should allow new connections on all the interfaces except for the one i've designated to be external. But if I list the rules with "iptables -L" I get:

target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW

which is obviously not a good thing to be happening

Any ideas what could be causing this? I've never seen anything like it before, and the script was pulled off a previously working gentoo box, where it had no problems.

[Jeroen]

Are you sure your shell is not doing funky things with the '!' marks? In bash, sometimes ! will do history completion stuff on the command line.

Maybe you could consider using shorewall or so, makes it a bit easier (once you understand it...) to configure your firewall.