Aloha, i want to have DNAT for several virtuel non private IP´s with SuSEfirewall2 to masquerade the services in my DMZ which has a private adress range. Something like iptables -A PREROUTING -t nat -p tcp -d 62.16.7.x --dport 80 -j DNAT --to 192.168.7.x:80 or iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth2:2 -j DNAT --to 192.168.7.x:80 in my "old" handmade script. I guess that point 14) FW_FORWAERD_MASQ will be a good place for this kind of rule. It works fine for only one extern device and creates a DNAT rule in the PREROUTING chain ;-} but only for the first extern device :-( I don´t know yet how to DNAT more than one extern IP or device. So does anybody know a way to put in the -d or -i option in the SuSEfirewall2 script or another way to have a DMZ in a private range and benefit from all the fine netfilter rules in the SuSEfirewall script at the same time :o? Best greetings HaDi Wolfertz