On Thu, 2004-06-10 at 00:43, Michael Rowley MD wrote: > I have a block of IP's from Sprint, 209.26.244.33/29. I have 2 servers > inside the firewall that I would like to have accessible from the > internet on an external fixed IP. Currently the internal network is on > 192.168.1.0/24, the firewall is working, and I can ssh into the > firewall, but would like to ssh into all the servers, and need web > access to both also. I will try and diagram this, just to ellucidate. Do source nat and destination nat in both PREROUTING and POSTROUTING, ignoring the interface on which the packets are seen. E.g. -A PREROUTING -j dst-nat -A POSTROUTING -j src-nat -A dst-nat -d 209.26.244.33 -j DNAT --to-destination 192.168.1.33 ... -A src-nat -s 192.168.1.33 -j SNAT --to-source 209.26.244.33 ... This assumes that you don't want to set up a DNS server that gives "fake" answers to clients on 192.168.1.0/24. Both approaches work for me. YMMV. Ciao, Sheldon.