Just a final note to tell everyone that helped that this has finally been put to bed, and pass on what the deal was so that anyone else who is thinking of embarking on a port forwarding journey can avoid this pitfall. This is *not* explicitly stated in the IPCHAINS-HOWTO, the ipchains manpage, the IP-Masquerade-HOWTO, or the ipmasqadm portfw manpage. 1: Set your input filter so the packets get through -- this sends them on to the forward rules. 2: Set the forward rules so that the packets in question are sent to the MASQ target -- i.e., in this case the rule was ipchains -A forward -p tcp -s 0/0 1024: -d <your IP here> 80 -j MASQ 3: This sends them to the portforwarder, and you use ipmasqadm (if you're not on 2.4 and iptables) as ipmasqadm portfw -a -P tcp -L <your IP> 80 -R <your internal IP> 80 4: Make sure your output filter will pass things through. The trick is the -j MASQ in the forward section sends it to the forwarding rules. Also, note that it's -p tcp in ipchains and -P tcp in ipmasqadm. So the thing that isn't well communicated is that forwarding and ipchains communicate with a gozinta and gozotta that is enabled by a selective switch using -j MASQ. You guys are great, you gave me all the right pieces. Thanks. -- "To misattribute a quote is unforgivable." --Anonymous