i have an OLD ipchains server that is on its last leg and not sure if i shut it down, if it will come back.
so, to counter attack bad luck, i have built a new firewall that seems to be doing what i need it to do. only problem is, i do not know how to forward multiple public ip's to my private ip's.

i have 5 IP's that i need to map to servers that have multiple roles (mail, db's, websites, application hosting, pca, etc...) and i cannot find anything in the forum dealing with more than 1 ip address.

please - if you have any clues on doing this, drop me a hint. i would very much appreciate it.

Depending on what you're trying to do, you can just DNAT each external IP to the corresponding internal IP. So you'd just set up indivdual DNAT rules that rewrites the destination address to the internal one for each mapping pair. So if the mapping were like this:

1.1.1.1 -> 10.0.0.1 (port X)
2.2.2.2 -> 10.0.0.2 (port Y)

Then the iptables rules would be like:
iptables -t nat -A PREROUTING -i <external_interface> -d 1.1.1.1 -j DNAT --to-destination 10.0.0.1
iptables -t nat -A PREROUTING -i <external_interface> -d 2.2.2.2 -j DNAT --to-destination 10.0.0.2

Then forward the required ports through:
iptables -A FORWARD -d 10.0.0.1 -p tcp --dport X -j ACCEPT
iptables -A FORWARD -d 10.0.0.2 -p tcp --dport Y -j ACCEPT

So it's basically the same thing you'd do with one external -> internal mapping, just repeated for each pair.

ok, i have input this on my test system and will launch it live here in a couple of minutes. I will report back the results. thanks for all yer help capn.

i took your advice and ran those configs however, i have made a mistake. i stated ETH1 versus ETH0. How do I remove that from my config so that I can start over?
also, when i telnet into the server, it is as though I have no path statement. Each time i type in iptables, or service commands, it tells me:
bash: iptables: command not found
do you know a way to fix a path issue like that?

Will I need to configure a range of IP aliases?

You can remove rules using -D, so if you added:
iptables -t nat -A PREROUTING ...blah...
just do:
iptables -t nat -D PREROUTING ...blah...

You can also delete by number like iptables -D 1, but you need to check the output of iptables -L to confirm what number the bad rules is.

when i telnet into the server, it is as though I have no path statement. Each time i type in iptables, or service commands, it tells me:
bash: iptables: command not found
do you know a way to fix a path issue like that?
Make sure you're root when you run the command. If it still doesn't work try doing 'locate iptables' or 'find / -name iptables' (this is a bit more noisy). Should normally be in /sbin or /usr/sbin.

It actually won't matter, because iptables doesn't support virtual interfaces. However, just for clarity could you explain your network topology and what you are trying to accomplish in more detail.

My topology is as follows:

Internet-
|->T1 (Router from ISP)-
|->DMZ-
|->Firewall-
|->Network
I have a /28 public subnet and need to route several of those IP addresses over to servers inside of the building. Of course, they are M$ servers and will be hacked about 3 seconds after I put public IP's on them so, I wanted to keep my current set up, as with IPChains.
In IPChains, it is set up as follows:

Server01 192.168.1.2 mapped to 66.67.68.150
Server02 192.168.1.3 mapped to 66.67.68.151
Server03 192.168.1.4 mapped to 66.67.68.152
Server04 192.168.1.5 mapped to 66.67.68.153

And the list goes on. I only keep the following ports mapped as well:
21 FTP
23 Telnet
25 SMTP
53 DNS
80 HTTP
443 HTTPS
110 POP3
3389 Remote Desktop
5561-5562 PCAnywhere

Everything else, I like to have dropped.

Now I have the configuration cleared and restarted with what I already knew to use for NATing and then added the statements for you IP's and Ports.
Further, I have created the virtual public IP range (which I will remove now) and still have no go on the test.

I am just trying everything that I can and testing as I go to get it up.
Does this help in understanding what we are attempting to repeat?
If M$ wasnt so sloppy, we wouldnt be in this mess so, this is what I am stuck with, protecting their swiss cheese.
Thanks for everything...
Dan

Ok, so I would probably just create a bunch of aliases (virtual interfaces) for each of the public IPs so that you have general connectivity (though not necessary), then just write a DNAT rule for each mapping and forward the required ports to the LAN server. Just remember that iptables will treat each of the virtual interfaces as one interface, so eth0:1, eth0:2, and eth0:3 would all be just eth0 in your iptables rules (using aliases in the rules will cause an error). So your DNAT rules will look like:

iptables -t nat -A PREROUTING -i eth0 -d 65.66.67.150 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i eth0 -d 65.66.67.151 -j DNAT --to-destination 192.168.1.3

If you want to forward each of those ports to all of the internal servers, then your forwarding rules will be:
iptables -A FORWARD -p tcp -m multiport --dports 21,23,25,53,80,110,443,3389,5561,5562 - j ACCEPT

If you only want to forward certain ports to certain LAN servers, then just specify which ports and which internal IPs. For example say you only want port 80 and 443 going to 192.168.1.2 and ftp going to 192.168.1.3. Then your rules would be:
iptables -A FORWARD -p tcp -m multiport --dports 80,443 -d 192.168.1.2 -j ACCEPT
iptables -A FORWARD -m tcp --dport 21 -d 192.168.1.3 -j ACCEPT

Finally you'll need a rule to allow packets back out:
iptables -A FORWARD -i eth1 -j ACCEPT
(you can lock this down further depending on your needs)

Also make sure that you've turned on packet forwarding in the kernel:
echo 1 > /proc/sys/net/ipv4/ip_forward

If you're still having problems, post your iptables rules.