On Wed, Feb 01, 2006 at 11:32:08AM -0600, anoop aryal wrote: > if it's *from* the LAN *to* the internet, shouldn't it be: [..] Oops...I misread that. Yeah, he's probably missing the SNAT or MASQUERADE target if he's trying to get *out* to the Internet. If I properly read the OP the first time, my reply would have been quite different. Assuming the OP wanted to forward ports from the *outside* to the *inside*, something like this would work. $IPT -t nat -A PREROUTING -p tcp -i $external_iface \ -d $external_ip --dport 80 --sport 1024:65535 -j DNAT \ --to $webserver:80 $IPT -A FORWARD -p tcp -i $external_iface -o $internal_iface \ -d $webserver --dport 80 --sport 1024:65535 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward ...but even with the port forwarding you'd still need to do as anoop suggested. # Uncomment the following line if your external IP address is dynamic # $IPT -t nat -A POSTROUTING -o $external_iface -j MASQUERADE # Uncomment the following line if your external IP address is static # $IPT -t nat -A POSTROUTING -o $external_iface -j SNAT --to-source $external_ip
Attachment:
signature.asc
Description: Digital signature