Hello Wilson, > iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j > DNAT --to 10.1.0.12:80 That's ok. > iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state > --state NEW -j ACCEPT This rule is only necessary if you have a webserver running on you firewall. > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m > state --state NEW -j ACCEPT Ops. You made a mistake. You have added a rule which changes the destination IP address to your internal webserver, remember? Your forward rule must specify the internal address as destination. iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12/32 --dport 80 --syn -j ACCEPT Regards, -- -- Alejandro Flores http://www.triforsec.com.br/ http://www.defenselayer.com/ http://www.nabucodonosor.com/
