Hi, I'm having a slight problem with SSH and NAT. I've got an ADSL connection with a single static IP, and I'd like to be able to SSH to any of my boxes within my network, but without having to use separate ports to do it. Is this possible? My setup is: Internet -> ZyXEL ADSL router (192.168.0.1) -> Debian Server (192.168.0.2) -> box1 (0.3) / box2 (0.4) What I've tried so far is adding the patch-o-matic stuff for string matching, so I came up with a rule like this: iptables -t nat -A PREROUTING -m string --string 'box1.domain.com' -p tcp --dport 22 -j DNAT --to 192.168.0.3 but this just SSHs to 0.2, instead of forwarding onto 0.3(which is the box running iptables). Is this actually possible, or am I on to a no-hoper here? Here's most of my firewall/iptables script: #!/bin/bash IPTABLES=/usr/local/sbin/iptables flush () { # Flush tables and set default policies $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F internal $IPTABLES -X internal $IPTABLES -F logdrop $IPTABLES -X logdrop $IPTABLES -t nat -F } def_policy () { $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } rules () { $IPTABLES -N logdrop $IPTABLES -A logdrop -j LOG --log-prefix "INPUT (dropped): " # $IPTABLES -A logdrop -j ULOG --ulog-prefix "INPUT (dropped): " $IPTABLES -A logdrop -j DROP $IPTABLES -N internal $IPTABLES -A internal -s 192.168.0.0/24 -j ACCEPT $IPTABLES -A internal -s 127.0.0.1 -j ACCEPT $IPTABLES -A internal -s ! 192.168.0.0/24 -j logdrop $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A POSTROUTING -j MASQUERADE $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT # ssh $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT # www $IPTABLES -A INPUT -p udp --dport 80 -j ACCEPT # www $IPTABLES -A INPUT -p tcp --dport 111 -j internal # sunrpc $IPTABLES -A INPUT -p udp --dport 111 -j internal # sunrpc $IPTABLES -A INPUT -p tcp --dport 3128 -j internal # squid $IPTABLES -A INPUT -s 192.168.0.0/24 -j ACCEPT $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT $IPTABLES -A INPUT -p tcp -s ! 192.168.0.0/24 -j logdrop $IPTABLES -t nat -A PREROUTING -m string --string 'box1.domain.com' -p tcp --dport 22 -j DNAT --to 192.168.0.3 echo 1 > /proc/sys/net/ipv4/ip_forward } rm_mod () { rmmod -r ipt_LOG rmmod -r ipt_multiport rmmod -r ipt_state rmmod -r ip_conntrack rmmod -r iptable_filter rmmod -r ip_tables } case "$1" in start) echo -n "Starting netfilter/iptables firewall" flush def_policy rules echo "." ;; restart) echo -n "Restarting netfilter/iptables firewall" flush def_policy rules echo "." ;; stop) echo -n "Stopping netfilter/iptables firewall" flush rm_mod echo "." ;; *) echo "Usage: /etc/init.d/firewall {start|stop|restart}" exit 1 esac exit 0 --End firewall-- Cheers, James -- James O'Gorman email: james@xxxxxxxxxxxxxxxx | web: www.netinertia.co.uk "Life sucks, but death doesn't put out at all...." -- Thomas J. Kopp