Ilustration:

Internet
|
eth2
Linux RH 8.0 (with 3 nic)
| \
| eth0 (192.168.0.1) <=> Win 2k (192.168.0.10) (Ftp server)
|
eth1(192.168.0.3) <=> Win 2k (192.168.0.11) (Http server)


Internet sharing is done with a iptable script
work fine

My problem(s):
-port forwarding:
im trying to forward all incoming calls on port 80 to port 80 on the httpserver and all 21 to ftp

i have tried this line (and similar)
)but i cant get it working

-lan between the two win2k is not working
i can see them in the workgroup but i cant connect. (no ping is possible ether)

Try the following in your script

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp -i eth2 --dport 80 -j DNAT --to-destination 192.168.0.10:80

iptables -A FORWARD -i eth2 -p tcp -d 192.168.0.10 --dport 80 -j ACCEPT

this is my firewall script:

# rc.firewall-2.4
FWVER=0.73

echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod

EXTIF="eth2"
INTIF="eth1"
INTIF2="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " Internal Interface: $INTIF2"

echo -en " loading modules: "

echo " - Verifying that all kernel modules are ok"
$DEPMOD -a

echo "---------------------------------------------------------------------"

echo -en "ip_tables, "
$INSMOD ip_tables

echo -en "ip_conntrack, "
$INSMOD ip_conntrack

echo -en "ip_conntrack_ftp, "
$INSMOD ip_conntrack_ftp

echo -en "ip_conntrack_irc, "
$INSMOD ip_conntrack_irc

echo -en "iptable_nat, "
$INSMOD iptable_nat

echo -en "ip_nat_ftp, "
$INSMOD ip_nat_ftp

#echo -e "ip_nat_irc"
#$INSMOD ip_nat_irc

echo "----------------------------------------------------------------------"
echo -e " Done loading modules.\n"

echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


#Clearing any previous configuration
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -t nat -A PREROUTING -p tcp -i eth2 --dport 80 -j DNAT --to-destination 192.168.0.10:80
$IPTABLES -A FORWARD -i eth2 -p tcp -d 192.168.0.10 --dport 80 -j ACCEPT

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

eth0 & eth1 must be on different subnets otherwise the routing table won't know where to return the packets to. eg

eth0 = 192.168.0.1 netmask 255.255.255.0
ftp server = 192.168.0.10 netmask 255.255.255.0 gateway = 192.168.0.1
eth1 = 192.168.1.1 netmask 255.255.255.0
http server = 192.168.1.11 netmask 255.255.255.0 gateway = 192.168.1.1

Unless you have a special reason to keep the servers apart, put them on the same card. It will save having to make complicated dmz rules to stop them talking to each other.

I got it working... now port forwarding from outside is working but i cant make the server forward computers inside the lan to my httpserver ???

The conection between the two win2k computers were done by changing the lines
Routing tables now knows were to forward by adding lines with "route add" in both linux and the two win2k pc's