Have you tried something like: iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD --destination 10.73.219.156 -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING --destination 10.73.219.156 -p tcp --dport 8080 -j DNAT --to-destination 10.73.219.77:80 iptables -t nat -A POSTROUTING --destination 10.73.219.77 -p tcp --dport 80 -j SNAT --to-source 10.73.219.156 Remember, if the default router of the web server isn't your firewall box, the packet will exit the router, but when the next packet destined for the web server is senty by the client, the linux box doesn't think its valid. This is because the conntrack missed the obligatory SYNACK. The subsequent ACK to the firewall would mean nothing. I could be wrong about the internal logic, but it'd make sense.
