On Sun, 2005-01-02 at 19:39, Andreas Pettersson wrote: > ## WWW Forwarding ... > iptables -t nat -A PREROUTING -d $INET_IP -p tcp --dport 80 -j DNAT > --to-destination 192.168.1.30 > iptables -A FORWARD -d $INET_IP -p tcp --syn --dport 80 -m state > --state NEW -j ACCEPT the DNAT happens PREROUTING; which is before FORWARD--therefore, the destination IP at this point is 192.168.1.30; not $INET_IP. > iptables -t nat -A POSTROUTING -s 192.168.1.30 -p tcp --sport 80 -j > SNAT --to-source $INET_IP this is unnecessary; as the reply packets part of the DNAT-ed connection will automatically be SNAT-ed, as nat is stateful. however--you do not have a rule that allows replies from the web server--might i simply suggest: iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -j -- "Well, I'm not calling you a liar, but... I can't think of a way to finish that sentence." --The Simpsons
