okay, i simplified my script, and tried MASQUERADE vs FORWARD, and got it to work: iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2022 -j DNAT --to-destination 172.16.0.101:22 iptables -t nat -A POSTROUTING -j MASQUERADE why does this way work? what are the ramifications of using masquerading, i.e., any reason i shouldn't adopt this method? > > #!/bin/bash > > modprobe iptable_nat > echo 1 > /proc/sys/net/ipv4/ip_forward > > EXT_IFACE="eth0" > EXT_IP="172.17.17.165" > INT_IFACE="eth1" > > SSH_IP="172.16.0.101" > SSH_PORT="2203" > > IPT="/sbin/iptables" > $IPT -F > $IPT -F -t nat > $IPT -X > > $IPT -A OUTPUT -o $EXT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPT -A OUTPUT -o $INT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT > > # wide open, for testing... > $IPT -t nat -P PREROUTING ACCEPT > $IPT -t nat -P POSTROUTING ACCEPT > $IPT -t nat -P OUTPUT ACCEPT > > $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPT -A INPUT -i lo -j ACCEPT > > $IPT -t nat -A PREROUTING -p tcp -i $EXT_IFACE -d $EXT_IP --dport > $SSH_PORT --sport 1024:65535 -j DNAT --to $SSH_HOST:22 > $IPT -A FORWARD -p tcp -i $EXT_IFACE -o $INT_IFACE -d $SSH_HOST > --dport $SSH_PORT --sport 1024:65535 -m state --state NEW -j ACCEPT > > $IPT -A FORWARD -j LOG --log-prefix "meh " > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html