Hi, On Fri, 16 Jul 2004 19:27:55 +0100, Antony Stone > > Why is the FORWARD rule needed here? > > Because without it, the DNAT rule will change the destination address of the > packets, and then they won't be allowed through the next chain in sequence > (PREROUTING --> FORWARD --> POSTROUTING). I am sorry I don't undertand it much. Tell me one more thing if I have 10 machines in DMZ with 10 ports each to allow for outside world, does that mean writing 100 FORWARD rules and 100 PREROUTING rules? > If you *didn't* have a DNAT rule, you would need a FORWARD rule, so I think it > would seem strange if you didn't need a FORWARD rule just because you'd > changed the destination address. (For example, what would happen if you > used a DNAT rule which "changed" the address to the same as it already was? > Or maybe two DNAT rules in a row - one changes it, and the next changes it > back again?) Sorry again, but this is just sounding greek to me now :) With warm regards, -Payal
