Craig, thanks! That works great for now; "simple is good". If time permits later I would like to experiment with your and Jeroen's suggestion of marking. -Glen On Thu, 2004-02-26 at 03:32, Philip Craig wrote: > Use these rules: > > -t nat -A PREROUTING -s 192.168.2.128 -j ACCEPT > -t nat -A PREROUTING -d 192.168.2.128 -j ACCEPT > -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.2.1 > -P FORWARD DROP > -A FORWARD -p udp --dport 53 -j ACCEPT > -A FORWARD -p udp --sport 53 -j ACCEPT > -A FORWARD -s 192.168.2.128 -p ALL -j ACCEPT > -A FORWARD -d 192.168.2.128 -p ALL -j ACCEPT > > If you don't like duplicating the rules like that, then you could > set marks in mangle PREROUTING and base both the nat and filter rules > off the mark. Or you could patch your kernel to use ippool or ipset, > then you wouldn't need to dynamically add rules at all, you just > have one rule each in nat and filter referring to the pool/set.
