I wasn't sure if this went in Networking or Security...

I am running a ZoneCD server for a public wireless hotspot (publicip.net's forums are long gone.) and set it up so the wireless clients could not access our internal network using this iptables command: "iptables -t nat -A NoCat_Capture -i eth1 -d 192.168.5.0/24 -j DROP". Our wireless network is 10.10.10.x and our internal is 192.168.5.x. We now want to implement wireless printing and I need 2 ports opened on 1 internal ip address for the wireless clients to connect to (say, 192.168.5.213 port 30044 and 21326) but I still need the rest blocked. I'm pretty new to iptables and I'm not sure the best way to do this with iptables.

Thanks.

This is pretty straightforward: insert the rules accepting packets for your printer address/port combinations before the DROP rule; since iptables stops processing rules when it gets to one that tells it what to do, this will result in your print packets being accepted and everything else dropped.

Thanks for the reply. So would this be the proper iptables command: "iptables -t nat -I NoCat_Capture -i eth1 -d 192.168.5.213 --dport 30044 -j ACCEPT" in order to allow packets to 192.168.5.213 port 30044?

Thanks again.

This is close, but the -t option is wrong. This rule goes in the (default) filter table, not the nat table. Come to think of it, your DROP rule ought to be there as well.

Normally, Private Networking addresses (10.x.x.x and 192.168.x.x are both in this category) are not permitted to travel on the public Internet, but since you have both of these under your control, you do not need to do NAT on any of these until they are about to go out on the public Internet.

It is not clear from your post whether you are doing NAT on the firewall machine, or if you have some other device (a router, perhaps) doing NAT for you. It might make a difference in how you write the rules, but in either case, you do not need to do DROPs in the NAT table.