Phil Mendelsohn wrote: > > You may also need to make sure your forward (and output) rules allow > > traffic to the web server. > > Right now output is set for -P ACCEPT. For the forward rules to allow web > traffic, would I want -j MASQ or -j ACCEPT? from everywhere on port > 80? It's a little unclear where the forward rules end and the portfw > takes over. Sample forwarding rule. ipmasqadm handles the portfw command and is a seperate application from ipchains. /usr/sbin/ipmasqadm portfw -a -P tcp -L RealIP 80 -R InternalIP 80 You have to masq all outgoing traffic from internal hosts. ipchains -A forward -i exernaldevice -s internalnetwork -d 0.0.0.0/0 -j MASQ Since output is set to accept everything than that shouldn't be a problem. > > Finally, if you don't already have it, you'll also need a port forward > > command (ipmasqadm portfw) to forward traffic from port 80 on the > > external I/F of the firewall to port 80 on the internal web server. > > > > Hope that helps, > > Quite a bit -- what's not clear is where does the port forwarding take > place in the IPchain. Or does it happen outside, and if so, when / > how. I think it's not as much like an audio/video patch panel as they > lead one to believe, or am I just a little lost in the woods? Also need a kernel patch unless your using 2.2.18-2.2.19 ( may be in 2.2.17 but I can't remember). You'll need to get the application ipmasqadm. It's probably already there depending on how recent and what distro you use. HTH, sim