Here's the FORWARD and PREROUTING bits of my rather extensive hack of a firewall script, which is forwarding port 35464 through, a randomly chosen port I run Azureus on. It works for me: $IPTABLES -N forwardallow $IPTABLES -A forwardallow -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A forwardallow -p icmp --icmp-type ! echo-request -j ACCEPT # bittorrent $IPTABLES -A forwardallow -m state --state NEW -p TCP --dport 35464 -j ACCEPT $IPTABLES -A forwardallow -j LOG --log-prefix "Firewalled in forwarding " $IPTABLES -A forwardallow -j DROP # Dunno why this is needed $IPTABLES -A FORWARD -i $INTIF -o $INTIF -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j forwardallow $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG --log-prefix "Dropped in forwarding " # bittorrent /sbin/iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 35464 -j DNAT --to 192.168.3.33:35464 I really hate how, near as I can tell, iptables requires you to put entries in both FORWARD and PREROUTING, it seems like violating OnceAndOnlyOnce to me. ipchains didn't do this, but other than that iptables is far better... And I'm not sure about the first FORWARD line. It was all working great for many months, then one day I couldn't ssh into the server from the internal network, it was dropping packets in the FORWARD chain until I put that in. I think I might have upgraded the kernel... The full script is at http://www.haxxed.com/random/firewall.txt _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list