Hello, I haven't been lurking here long but have tried the FAQs, tutorials and How-To's. I'm an iptables novice. I thought this would be simple; I hope I'm overlooking something obvious. I have a Linux server acting as a gateway between the internet and the internal network, allowing only authenticated hosts internet access. I have a simple FORWARD (policy DROP) ruleset into which individual hosts, after authentication, are inserted and allowed internet access. As each host's session time expires, the corresponding ACCEPT rule is removed from FORWARD. That all works well. Now I would like to do something like DNAT for http connections from NON-authenticated hosts to a webserver on my gateway box, but still let authenticated hosts through. -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.2.1 unfortunately catches everything. Is there a way to "redirect" web connections only if the packet hasn't already been ACCEPTed for forwarding? For example: Host 192.168.2.128 is authenticated and should be allowed any internet connections. http requests from all other internal hosts are sent to the local web server: -P FORWARD DROP -A FORWARD -p udp --dport 53 -j ACCEPT -A FORWARD -p udp --sport 53 -j ACCEPT -A FORWARD -s 192.168.2.128 -p ALL -j ACCEPT -A FORWARD -d 192.168.2.128 -p ALL -j ACCEPT -A [something really smart like DNAT but only if the packet traverses this far] Thanks -Glen
