I'll give you an example. It assumes a default drop policy. Also, INTIF = internal interface, HTTP1 = external ip address clients will connect to (www.mydomain.com resolves to this address), and HTTPDMZ1 = internal web server. ##### Setup prerouting rules to route Internet traffic internally ## Change the destination of external $HTTP requests to the DMZ HTTP server $ipt -t nat -A PREROUTING -i $EXTIF -p tcp -d $HTTP1 --dport 33333 -j DNAT --to $HTTPDMZ1:80 ## Allow established,related forward traffic $ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ## Allow new http forward traffic from Internet to servers in the DMZ $ipt -A FORWARD -m state --state NEW -i $EXTIF -p tcp -d $HTTPDMZ1 --dport 80 -j ACCEPT $ipt -A FORWARD -m state --state NEW -i $EXTIF -p tcp -d $SMTPDMZ --dport 25 -j ACCEPT >>-----Original Message----- >>From: netfilter-admin@lists.netfilter.org >>[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of PiSiC... >>Sent: Thursday, February 27, 2003 12:15 PM >>To: richardo@start-global.com >>Cc: netfilter@lists.netfilter.org >>Subject: Re: possibly annoing ... >> >> >> First of all thanks for help ... >> but i'm kinda new with iptables and i want to show you the >>big picture : >> >> - i heard something about static NAT and dynamic NAT (not source or >>destination NAT) and i'm not sure i fully understand what is the >>aplicability on my situation. >> >>the situation is this : >> >> i have a radio link with only one staticaly allocated IP >>(aaa.bbb.ccc.ddd) >>which is connected on my linux machine on eth1 >>eth0 on the same machine is connected on LAN. >>I have up and running Webserver,SMTP,FTP and POP3. >>I want to run now 2 webservers one on external and one on >>internal(that is >>easy with binding on their interfaces). >>But i want also to allow access from the world to a third >>webserver which >>runs on 192.168.13.199:80 which will be accesibile on port 33333 on my >>external ip. >> >>... my machine runs Slackware 8.0 with kernel 2.4.5. and i >>have compiled the >>kernel with all the features included(i don't need modprobe). >> >> >>I wonder if you can give me an rc.firewall for this situation >>or at least >>the tricky part(webserver on 192.168.13.199) with all their >>related stuff. >> >> Thank you very much in advance. >> >> Danila Octavian >> >> >> >>