Le sam 06/09/2003 Ã 12:53, ÐÐÐÐÐÐÐÑ ÐÐÑÐÐÐÐ a Ãcrit : > And which chain a need yo add to ruleset? Just rewrite your ruleset as follow : # nat table -A PREROUTING -t nat -d 121.1.1.1 -i eth0 -p tcp -j DNAT \ --to-destination 192.168.5.2 -A PREROUTING -t nat -d 121.1.1.1 -i eth0 -p udp -j DNAT \ --to-destination 192.168.5.2 -A POSTROUTING -t nat -o eth0 -j SNAT --to-source 121.1.1.1 # filter table -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state \ --state NEW -p tcp -m tcp --dport 53 --syn -j ACCEPT -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state \ --state NEW -p udp -m udp --dport 53 -j ACCEPT -A FORWARD -s 192.168.5.0/255.255.255.0 -i eth1 -o eth0 -m state \ --state NEW -p tcp -m tcp --dport 53 --syn -j allow -A FORWARD -s 192.168.5.0/255.255.255.0 -i eth1 -o eth0 -m state \ --state NEW -p udp -m udp --dport 53 -j ACCEPT It should provide the same filtering functionnalities you wanted, plus returning packets accept through ESTABLISHED,RELATED rule. If you really want to restrict it to TCP and UDP only, just replace this rule with two more specific ones : -A FORWARD -m state --state ESTABLISHED,RELATED -p udp -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp -j ACCEPT I removed rules that seems redundant, in particular your TCP flags check rule that was replaced with --syn switch addition. I also restricted inbound DNS filtering to 192.168.5.2 only. Hope this helps. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
