Here is the code that I am using, modified from http://people.unix-fu.org/andreasson/iptables-tutorial/scripts/rc.firewa ll.txt
Internal connect fine to INET_IP :80, externals do not. However will connect fine if LAN_HTTP_IP is 10.0.0.2, and will not connect on any other IP address. Nicholas Irving [EMAIL PROTECTED] #!/bin/sh INET_IP="xxx.xxx.xxx.xxx" INET_IFACE="eth1" LAN_IP="10.0.0.1" LAN_HTTP_IP="10.0.0.3" LAN_IP_RANGE="10.0.0.0/24" LAN_BCAST_ADRESS="10.0.255.255" LAN_IFACE="eth0" LO_IFACE="lo" LO_IP="127.0.0.1" IPTABLES="/sbin/iptables" /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc echo "1" > /proc/sys/net/ipv4/ip_forward #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -N bad_tcp_packets $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT $IPTABLES -A INPUT -p tcp -j bad_tcp_packets $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets #Nick Added this $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT #$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #Nick Added this $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d $LAN_HTTP_IP --dport 80 -j LOG --log-prefix "HTTP FORWARD " $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d $LAN_HTTP_IP --dport 80 -j ACCEPT $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " #Nick Added Here $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 80 -j LOG --log-prefix "Pre ROUTING: " $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 80 -j DNAT --to-destination $LAN_HTTP_IP $IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $INET_IP --dport 80 -j DNAT --to-destination $LAN_HTTP_IP $IPTABLES -t nat -A POSTROUTING -p tcp --dport 80 -s $LAN_IP_RANGE -d $LAN_HTTP_IP -j SNAT --to-source $LAN_IP $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
