On Wed, 8 Oct 2003, Nathan Whittacre wrote: > We do have control over the Nat box. It is a custom Linux router that > we put in for these clients. The biggest problem with the DNATing to a > specific internat IP is that several client computers will want to use > it at different times. So, I don't want to have to change the DNATing > every time a different computer wants to connect. Bummer. You might plagarize the code from the FTP helper module, designating the return connection to the NAT box's port 1066 as "related", which you would then allow through the firewall and which would be de-NATted so it went to whichever client the original connection belonged to. It would be a whole lot easier if the client would accept the return connection from an arbitrary source port (not just the mainframe's 1066), so you won't have to think about conntracks hanging around, if a connection shuts down uncleanly -- as far as the helper module is concerned, arbitrarily many clients can use the service at once, with different source ports, even if there's a limit at the mainframe. But I've never actually tried doing this kind of thing. Other people on the list, however, do seem to successfully make special modules. "Let's you and him fight" :-) James F. Carter Voice 310 825 2897 FAX 310 206 6673 UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555 Email: jimc@xxxxxxxxxxxxx http://www.math.ucla.edu/~jimc (q.v. for PGP key)