> I want to forward all the packets to port 80 and 443 to 16721 and > using the following rules: > > # 80->16721->80 > ${IPTABLES} -t nat -A PREROUTING -s 0.0.0.0/0 -d 192.168.0.1 > -p tcp --dport 80 -j DNAT \ > --to-destination 192.168.0.1:16721 > ${IPTABLES} -t nat -A POSTROUTING -s 192.168.0.1 -d 0/0 -p > tcp --sport 16721 -j SNAT \ > --to-source 192.168.0.1:80 > > # 443->16721->443 > ${IPTABLES} -t nat -A PREROUTING -s 0.0.0.0/0 -d 192.168.0.1 > -p tcp --dport 443 -j DNAT \ > --to-destination 192.168.0.1:16721 > ${IPTABLES} -t nat -A POSTROUTING -s 192.168.0.1 -d 0/0 -p > tcp --sport 16721 -j SNAT \ > --to-source 192.168.0.1:443 > > I'm just wondering - won't the source address of packets to 443 be > changed to 192.168.0.1:80 instead of 192.168.0.1:443 when they're > replied to the client? NAT will handle that, but I'm not sure if this setup is going to work : you are forwarding both http and https to the same port. > I don't know what type of connection tracking to use. Your help is > appreciated. With conntrack, you don't need the postrouting rules. iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i <if_inet> -d 192.168.0.1 -p tcp --dport 80 \ -j ACCEPT iptables -A FORWARD -i <if_inet> -d 192.168.0.1 -p tcp --dport 443 \ -j ACCEPT iptables -t nat -A PREROUTING -i <if_inet> -p tcp --dport 80 \ -j DNAT --to-destination 192.168.0.1:16721 iptables -t nat -A PREROUTING -i <if_inet> -p tcp --dport 443 \ -j DNAT --to-destination 192.168.0.1:16721 If I were you I'd make the webserver listen on 16722 (or whatever) for https and forward port 443 to 16722. Gr, Rob