I can create to sets of rules that will give me the same result: Case 1) iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -d 10.10.10.1 -p tcp -m multiport --ports 80,443,8080 iptables -A FORWARD -d 10.10.10.2-p tcp -m multiport --ports 80,443,8080 iptables -A FORWARD -d 10.10.10.3-p tcp -m multiport --ports 80,443,8080 iptables -A FORWARD -d 10.10.10.4-p tcp -m multiport --ports 80,443,8080 iptables -A FORWARD -d 10.10.10.5-p tcp -m multiport --ports 80,443,8080 .... iptables -A FORWARD -d 10.10.10.254 -p tcp -m multiport --ports 80,443,8080 and iptables -t nat -A PREROUTING -d 10.10.10.1 -p tcp -j DNAT --to-destination 192.168.0.1 iptables -t nat -A PREROUTING -d 10.10.10.2 -p tcp -j DNAT --to-destination 192.168.0.2 iptables -t nat -A PREROUTING -d 10.10.10.3 -p tcp -j DNAT --to-destination 192.168.0.3 ... iptables -t nat -A PREROUTING -d 10.10.10.254 -p tcp -j DNAT --to-destination 192.168.0.254 Case 2) iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT and iptables -t nat -A PREROUTING -d 10.10.10.1 -p tcp -m multiport --dports 80 443,8080 -j DNAT --to-destination 192.168.0.1 iptables -t nat -A PREROUTING -d 10.10.10.2-p tcp -m multiport --dports 80 443,8080 -j DNAT --to-destination 192.168.0.2 iptables -t nat -A PREROUTING -d 10.10.10.3-p tcp -m multiport --dports 80 443,8080 -j DNAT --to-destination 192.168.0.3 ... iptables -t nat -A PREROUTING -d 10.10.10.254 -p tcp -m multiport --dports 80,443,8080 -j DNAT --to-destination 192.168.0.254 I think both cases give the same result: only port 80, 443 and 8080 are allowed en natted to the corresponding server. I know the firewall isn't closed, but I'm only interessed in the performance The ip-addresses are fictional and will in the real world not follow up. It's just to demonstrate the 2 cases. Which of the 2 cases will give the best performance and why? Is one of them giving some overhead and why? Thanks in advance, Wouter
