Mark; here is your ruleset, with my comments: > $IPTABLES -P INPUT ACCEPT
With a default ACCEPT policy on INPUT, we can ignore any other rules in this chain unless they DROP or REJECT packets. > $IPTABLES -F INPUT > $IPTABLES -P OUTPUT ACCEPT With a default ACCEPT policy on OUTPUT, we can ignore any other rules in this chain unless they DROP or REJECT packets. > $IPTABLES -F OUTPUT > $IPTABLES -P FORWARD DROP We need FORWARDing rules to allow traffic. > $IPTABLES -F FORWARD > $IPTABLES -t nat -F > > $IPTABLES -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT > $IPTABLES -A INPUT -p tcp --syn -j DROP These rules will prevent any TCP connection being made to the firewall except on port 80. Seems good. Anything not TCP will be allowed in by default. > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > $IPTABLES -A FORWARD -j LOG Allow stuff from outside to inside, allow stuff from inside to outside, then LOG anything else (such as inside to inside..... :-) before default DROPping it. Therefore you need to add a rule: $IPTABLES -A FORWARD -i $INTIF -o $INTIF -j ACCEPT > $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j > DNAT --to-destination 192.168.0.3:80 Don't need the above rule any more - just use the one below instead: > $IPTABLES -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 80 -j DNAT --to > 192.168.0.3 This will send any TCP port 80 requests coming in to the firewall's ext IP address, on to 192.168.0.3, no matter which way they came in to the firewall. > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE Hide outbound packets behind the ext IP of the firewall. You also need to add the SNAT rule for packets from your internal LAN to the internal webserver: $IPTABLES -t nat -A POSTROUTING -o $INTIF -s 192.168.0.0/24 -j SNAT --to 192.168.0.1 So, add the FORWARD rule and the POSTROUTING SNAT rule, remove the first PREROUTING rule, and tell us what happens :-) Antony.
