The way I'd do it is to change the first rule below so that the destination IP is the external IP on your firewall. I think you know that you can't route traffic from the greater Internet to a non-routable address like 192.168.1.1 so accepting traffic for that address on your firewall is useless; it should never happen (barring spoofing or something like that). You may also need to make sure your forward (and output) rules allow traffic to the web server. Finally, if you don't already have it, you'll also need a port forward command (ipmasqadm portfw) to forward traffic from port 80 on the external I/F of the firewall to port 80 on the internal web server. Hope that helps, Eric On Wed, Jun 06, 2001 at 01:06:57AM -0500, Phil Mendelsohn wrote: > Can someone take a quick peek and tell me why I'm not getting through the > firewall from the outside? Here is the ipchain. I just want to forward > port 80 (www) requests to an internal host. > > > Chain forward (policy DENY): target prot opt source destination ports > ACCEPT tcp ------ 0.0.0.0/0 192.168.1.1 80 -> 80 > MASQ all ------ 192.168.1.0/24 0.0.0.0/0 n/a > > When I try to lynx in from the U (to http://rephil.org or > http://www.rephil.org) it tells me it cannot connect to host, but nslookup > or dig both give the right spots for it, and I can ssh into the firewall > from there. Hrm. > > TIA, > > Phil