I don't have the script on hand at this moment. It is running at a clients site. However I can give you some instructions on how to do this. It took some searching to figure out how to run NAT the way I wanted.
The first step is to bind the address needed to your public connection. Let's say that you have three address like this:
xxx.xxx.xxx.196
xxx.xxx.xxx.197
xxx.xxx.xxx.198
When you setup linux you would most likely have used the first address as the address to the Linux system. Let's say that it is eth0 for this example. Therefore when you ping xxx.xxx.xxx.196 eth0 responds back. To bind the other two address to eth0 you would use this command:
ifconfig eth0:0 xxx.xxx.xxx.197 netmask 255.255.255.0 up
ifconfig eth0:1 xxx.xxx.xxx.198 netmask 255.255.255.0 up
Now you need to let through the address to the correct system on the private side. Let's say you wanted to assign the following address this way:
Your SMTP server needs to be attached to xxx.xxx.xxx.197
The private address of the SMTP server is 10.123.1.206
Your WWW server needs to be attached to xxx.xxx.xxx.198
The private address of the WWW server is 10.123.1.209
Let's also say that your private interface is eth0 and has the address of 10.123.1.1
first you would want to assign the NAT rules:
iptables -t nat -A PREROUTING - i eth0 -p tcp \
--sport 1024:65535 -d xxx.xxx.xxx.197 --dport 25 \
-j DNAT --to-destination 10.123.1.206
iptables -t nat -A PREROUTING - i eth0 -p tcp \
--sport 1024:65535 -d xxx.xxx.xxx.198 --dport 80 \
-j DNAT --to-destination 10.123.1.209
This is telling the system that when information is destined to xxx.xxx.xxx.197 the SMTP server (port 25) to send it to it's private address. In this case 10.123.1.206. I hope you get the idea.
Since destination NAT is applied before the packet reaches the FORWARD chain, You need to put rules in your firewall to let them through.
iptables -A FORWARD -i eth0 -o eth1 -p tcp \
--sport 1024 :65535 -d 10.123.1.206 --dport 25 \
-j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp \
--sport 1024 :65535 -d 10.123.1.209 --dport 80 \
-j ACCEPT
That is all you need. The second part regarding forwarding is used when you have set your policies to drop, which you should be doing if you are running a firewall. You may also want to look at the -m state option. It may help you speed things up.
I am still learning. I am actually a reseller and have started to OEM Mandrake with some of my systems. I am still a newbie but find this site to be very valuable. If you have any other questions you can contact me via my e-mail at
mostcs@DigitalBoxExpress.com