Thanks for your help. I solved the problem. First, I'll answer your questions then I'll explain the fix. Grant, >Do you have any other rules in your FORWARD chain that will allow the rest of the traffic flow >through to the Proxy, i.e. --state ESTABLISHED? Correspondingly do you have any rules that >will prevent the traffic that is flowing from the proxy in eth1 and back out eth0? This could get >you down the road. Yes, I have FORWARD rules and I allow ESTABLISHED connections. The other 5 servers behind the firewall work fine. I did check for typos but I did not find any. >You will have to specify a protocol "-p tcp" to use any port definitions. No typos but.. right, I was missing the protocol. I added the protocol to the rules and I was able to start the connection to the server but the server had problems replying to the client so the connection was dropped. To Jim, >I think the difference is that the SNAT rule does not >specify the protocol the way the DNAT rule does ( -p tcp ). >You can only specify a source port for a >protocol that uses the concept of a "port". You might be right I fixed the syntax of my rules and I still did not get the set up to work. If you are interested, here's what I did. 1. Added the proxy's public IP to the firewall's external interface. ip addr add $PROXY_IP/23 dev eth0 2. Added a second private IP to the server that will be handling the requests for the offline server (eth0:0). Now I have an "extra" machine that will be replacing the offline proxy. 3. Configured proxy to listen on eth0:0 192.168.0.9:80 4. Iptables rules -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.0.9 --dport 80 -j ACCEPT -I POSTROUTING -s 192.168.0.9 -o eth0 -j SNAT --to $PROXY_IP -A PREROUTING -i eth0 -p tcp -d $PROXY_IP --dport 80 -j DNAT --to 192.168.0.9:80 My set up seems to be working fine. Thanks again for your help. -K
