On Fri, 2005-01-14 at 06:38, Deepak Seshadri wrote: > iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -s $PublicIPAdd -d > 202.147.167.99 \ > --dport 21 -j DNAT --to-destination 192.168.0.5 personally--i don't believe in filtering in NAT. nat in NAT, and filter in FILTER; that's why they're there. it makes the rule set much easier to troubleshoot, and it saves you time a year from now when you look at your rules and can't figure out why you can't FTP to that server from some random IP address, since the FILTER rule is wide open. -j -- "Let us all bask in television's warm glowing warming glow." --The Simpsons
