Hi List, I have a problem with our current firewall setup and the German ELSTER tax program: I use SuSE 9.2 on our internet gateway. Right now, any direct traffic from the internal network to the internet is blocked by SuSE firewall and I have squid and postfix running on the gateway to allow web and e-mail traffic. As the elster program uses a propriatary protocol which cannot be fed through a proxy I now have to open the ports 8000 to 8006 which are used by this program for connections from the internal network to the internet. From what I found, this can be done with the iptables commands iptables -A FORWARD -i $INT -o $EXT -p TCP --dport 8000:8006 \ -j ACCEPT and iptables -A FORWARD -i $EXT -o $INT -m state \ --state ESTABLISHED,RELATED -p TCP --sport 8000 -j ACCEPT ($INT and $EXT are the internal resp. external interfaces) So far - so good. But what I am missing now is the masquerading of the IP address of the computer on the internal network (it gets a dynamic IP from the private address range 192.168.x.y). In the firewall script I have disabled masquerading (FW_MASQUERADE="no") to prevent any packets going out without using the squid proxy. Is there any way to open direct connections from the internal network _only_ for destination ports 8000 to 8006 without opening everything else (file-sharing networks etc.)? What iptables commands do I need for this purpose? Is there any better way to get this wounderful piece of software to work? Thank you for your help! Jürgen