LOL. I did not say it was possibel. I was looking for a way to do it. I guess I am not as concerened with getting it to work with multiple external interfaces .... But mostly with the second part of my question ( which by the way was ...) "More importantly, what about trying to connect directly to the firewall from an external address" I guess what I am really getting at is that if I set up DNAT the way suggested (see below) then I am not sure how I would be able to ssh to both the firewall and a box inside the firewall. Is the only way to do this to ssh to the firewall and then ssh to a box inside the firewall ? ( this was the suggestion. btw, I am not using a mail server, it was just in the solution) iptables -t nat -A PREROUTING -p tcp --dport 25 -i $EXT_DEV -j DNAT --to-destination $SMTP_SERVER My setup would be something like this iptables -t nat -A PREROUTING -p tcp --dport 22 -i$EXT_DEV -j DNAT --to-destination $InternalIPofFirewall ( this would direct all ssh connections on port 22 to the firewall) Is the only other possibility (other than sshing to the firewall first and then to the internal box) to have another port listen on a high port, and set up my internal box to listen on that high port for ssh ??? Thanks again, and sorry for the long confusing email .... ----- Original Message ----- From: "Daniel Chemko" <dchemko@xxxxxxxxxx> To: "Ramin Dousti" <ramin@xxxxxxxxxxxxxxxxxxxx>; "Peter Marshall" <peter.marshall@xxxxxxxxx> Cc: "Thorsten Scherf" <tscherf@xxxxxx>; <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Friday, September 05, 2003 2:16 PM Subject: RE: Nat with a dynamic IP > Damn, guys, if you could set me up with a fantastic script that can do > multiple DHCP subscriptions on a single NIC, I could throw away my all > 4-port NIC's. I'll hear offers for the cards 'after' I get this script > :-) > > > > -----Original Message----- > From: Ramin Dousti [mailto:ramin@xxxxxxxxxxxxxxxxxxxx] > Sent: Friday, September 05, 2003 10:11 AM > To: Peter Marshall > Cc: Thorsten Scherf; netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Nat with a dynamic IP > > On Fri, Sep 05, 2003 at 11:36:09AM -0300, Peter Marshall wrote: > > > That is a pretty good solution for the SNAT. I never thought about > MASQ. > > However .... I am not sure if the DNAT is the best solution .... WHat > if > > you had multiple ip numbers on the external card .... > > and they're all dynamic? Give us an example... > > Ramin > > > More importantly, what about trying to connect directly to the > firewall from > > an external address. > >