H.S. a écrit :
>
> If I image the networks as nodes in a graph, the for n networks I
> would need n(n-1) rules in all?

Not necessarily. It may be possible to factorize chains into policies.
For instance assume you define two types of networks : trusted (e.g.
internet) and untrusted (e.g. your LAN). Then you define four forwarding
policies based upon the types of the source and destination networks.

So you would have the following chains containing the fixed ruleset
enforcing each policy :

trusted_to_trusted
trusted_to_untrusted
untrusted_to_trusted
untrusted_to_untrusted

You also need two additional chains :

from_trusted
from_untrusted

Now for each interface $IFT connected to a trusted network, you would
add the following rules :

iptables -A FORWARD -i $IFT -j from_trusted
iptables -A from_trusted -o $IFT -j trusted_to_trusted
iptables -A from_untrusted -o $IFT -j untrusted_to_trusted

And for each interface $IFU connected to an untrusted network, you would
add the following rules :

iptables -A FORWARD -i $IFU -j from_untrusted
iptables -A from_trusted -o $IFU -j trusted_to_untrusted
iptables -A from_untrusted -o $IFU -j untrusted_to_untrusted

For instance, a packet coming from an untrusted network and destined to
a trusted network would be directed to the from_untrusted then to the
untrusted_to_trusted chain which determines its fate.

In this approach the rule count for n networks and t network types is
roughly n*(t+1), which scales better when n increases. Another advantage
is that when you create or delete a network interface you don't need to
care about the other existing interfaces, which is very valuable in
setups with multiple "dynamic" interfaces and networks such as PPP
links, VPNs, tunnels...