Hi, I have configured my adsl modem in Linux as ppp0, I am using NAT in linux to connect lan to internet.. ok fine.

Now, I want a lan server-192.168.2.3:80(http) to expose to internet directly, Pls guide me how can i do it.

I am pasting my nat confiuration:
------------------
INTIF="eth0"
EXTIF="ppp0"
EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo " Enabling Kernal IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " Flushing ip router through: $EXTIF"
echo " External interface IP address is: $EXTIP"

echo " Loading Kernal server rules..."

# Clearing any existing rules and setting default policy
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F
/sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -j DROP
/sbin/iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Put this in your nat file:

sorry dear above code didn't help me out, on checking open port it shows: port is showing but filtered

PORT STATE SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
29/tcp filtered msg-icp
67/tcp filtered dhcps
80/tcp open http

Pls. i help me guys..

Make sure that you set the "INTRANGE" variable to the correct network for your LAN; I just guessed based upon your web server IP. Also I allowed SSH and FTP into your firewall, I wanted you to see how to do multiple ports on one rule. Go ahead and remove (or add to) those those ports if you want. Oh yea, I simplified the command to get your EXTIP, you can do the whole thing with awk.

gr8 SiegeX,

But I would request you to give me scripts/lines so that I can edit in my already NAT file as pasted Above.

if your script, I run it will flush my preconfigured script, in which I customized access to lan n wan hosts.

Pls.

Your provided script had no such "customized access" rules therefore I did not provide them. My script is not written in stone, go ahead and add any extra rules you feel necessary.

Below is my customized nat script . pls tell whr I put your code to expose a host to internet,LAN: 192.168.2.3:80 to internet

INTIF="eth0"
EXTIF="ppp0"
EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo " Enabling Kernal IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " Flushing ip router through: $EXTIF"
echo " External interface IP address is: $EXTIP"

echo " Loading Kernal server rules..."

# Clearing any existing rules and setting default policy
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F
/sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp --dport 995 -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp --dport 465 -j ACCEPT
/sbin/iptables -I FORWARD -m udp -p udp --dport 53 -j ACCEPT

/sbin/iptables -I FORWARD -m iprange --dst-range 209.85.201.189-209.85.201.190 -p tcp -j REJECT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:08:A1:68:CF:AF -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:13:CE:94:8A:B1 -j ACCEPT #
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:13:02:A4:6A:0C -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:0F:B0:88-5E:B5 -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:133:FD:49:A2 -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:0E:351:74:57 -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:192:1C:16:71 -j ACCEPT #
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:0E:351:74:57 -j ACCEPT #
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:16:17D:99:21 -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:1A:64:70:F2:12 -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:13:02:32:76:52 -j ACCEPT
#/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:19:21:6E:5E:FA -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -s ! 192.168.123.4 -j DROP
#/sbin/iptables -A INPUT -s 192.168.123.43 -j DROP

/sbin/iptables -A FORWARD -s 192.168.123.55 -m iprange --dst-range 220.226.204.70-220.226.204.115 -p tcp --dport 80 -j ACCEPT/sbin/iptables -A FORWARD -s 192.168.123.55 -d 220.226.204.106 -p tcp --dport 443 -j ACCEPT

#/sbin/iptables -A INPUT -m iprange --src-range 192.168.123.10-192.168.123.11 -p tcp -j DROP
/sbin/iptables -A INPUT -m iprange --src-range 192.168.123.51-192.168.123.52 -p tcp -j DROP
#/sbin/iptables -A INPUT -m iprange --src-range 192.168.123.75-192.168.123.99 -p tcp -j DROP
/sbin/iptables -A INPUT -m iprange --src-range 192.168.123.100-192.168.123.107 -p tcp -j DROP
#/sbin/iptables -I FORWARD -m iprange --src-range 192.168.123.100-192.168.123.107 -p tcp -d 0/0 -j ACCEPT
/sbin/iptables -A INPUT -m iprange --src-range 192.168.123.162-192.168.123.250 -p tcp -j DROP
/sbin/iptables -A INPUT -m iprange --src-range 192.168.123.253-192.168.123.254 -p tcp -j DROP

/sbin/iptables -A FORWARD -j DROP
/sbin/iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE