Hi list members, I have a firewall problem I have resigned on. I hope there's someone out there who can help me and explain what's wrong. First of all our network looks like this Internet | | Firewall (eth0) NAT for LAN | |-- DMZ (eth1) | | | |-- HostInDMZ (IP_DMZHOST) | |-- LAN (eth2) | |-- HostInLAN (IP_LAN) Firewall is SuSE 7.3, kernel 2.4.16, iptables 1.2.2.60. HostInLAN is W2K Server, II5. What I try to do is to port forward all requests on host IP_DMZHOST port PORTFW to host IP_LAN port 80, meaning forward all request on a special port to internal IIS. Pretty simple and done a thousand times I guess. I already do the same for forwarding request on another port to ssh on another host. But when setting up port forwarding like given below with PORTFW anything else than 80 nothing works. All other necessary rules are in place too, e.g. allow any access from any host/port to IP_DMZHOST:PORTFW etc. iptables -A PREROUTING -t nat -p tcp -s 0.0.0.0/0 -d IP_DMZHOST --dport PORTFW -j DNAT --to-destination IP_LAN:80 Any special feature of IIS? I don't see any reason why port forwarding from port!=80 is different to port=80. Of course this works for pure Internet connections only, like CallByCall provides. Due to general NAT of all LAN traffic this doesn't work for "firewalled" or "proxied" connections. Therefore I put the following rule in place which should SNAT the specific traffic coming from IIS. iptables -I POSTROUTING -t nat -s IP_LAN -d ! 10.0.0.0/8 -j SNAT --to-source IP_DMZHOST I need "-d ! 10.0.0.0/8" option because of our IPSec VPN. But after applying this rule nothing works. In my opinion there must be a general "design" mistake I have made. But I don't know which Thx, Oliver