hello, i am a networkadmin of a small dormitory in germany (FH-Suderburg). Until now we had 1 server. this server was a router,webserver,dns,firewall. now we have a second server. both server are running under debian/sarge. the old server is now only router +firewall. the problem is that i don't want to tell everyone, that he/she has to change the dns-server. so i thought, that i can redirect every dns-request to the new server. my nat-rules for external connections (http, smtp) are working. networkplan: internet | | router ---- server (DNS + HTTP + EMail) | | intranet router: intern: eth0 - 192.168.112.1, extern: eth1 - 193.x.x.251, dmz: eth2 - 10.0.0.1 server: eth0: 10.0.0.2 here are the rule i tried the last time: EXT=eht1 EXT_IP=193.x.x.251 EXT_NET=193.x.x.0/24 DMZ=eth2 DMZ_IP=10.0.0.1 DMZ_NET=10.0.0.1/30 INT=eth0 INT_IP=192.168.112.1 INT_NET=192.168.112.0/24 SERVER_DMZ=10.0.0.2 iptables -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to-destination $SERVER_DMZ iptables -t nat -A POSTROUTING -o $INT -s $SERVER_DMZ -p tcp --dport 53 -j SNAT --to-source $INT_IP iptables -A FORWARD -i $INT -m state --state NEW -p tcp -d $SERVER_DMZ --dport 53 -j ACCEPT iptables -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to-destination $SERVER_DMZ iptables -t nat -A POSTROUTING -o $INT -s $SERVER_DMZ -p udp --dport 53 -j SNAT --to-source $INT_IP iptables -A FORWARD -i $INT -m state --state NEW -p udp -d $SERVER_DMZ --dport 53 -j ACCEPT greets Philipp Päper