> The problem is, as I said before, kernel 2.2 doesn't like to do NAT on IP > protocols other than TCP and UDP. Almost true. Using the iproute2 tools, you can do a static NAT of an inside box to outside. You can then use standard packet filter firewall rules to block various ports you don't want access to from outside. It is the Linux masquerading code that has the problem, regular NAT works just fine. Problem is that it burns another external IP address.