> 2. You ACCEPT the packets on your input chain first (meaning they go to > the local box, and are routed per the routing table) and THEN you do > DNAT. By the tiem you reach DNAT, all the port 80 bound packets have > already been ACCEPTed by the INPUT chaing. Put the DNAT rules first > (remember the ASCII art flow chart? prerouting, then input).
Not true. DNAT is done in PREROUTING, which comes before INPUT. You need to review that ASCII chart you mentioned. THEN, if the DNATted packet says go to an IP owned by the firewall, the connection has to pass through the INPUT chain. Otherwise, it'll go thru the FORWARD chain, and it will have to pass _those_ filters - that's where you have to open port 80 for the DNAT to work properly. -EtherMage OT PS: PLEASE, PLEASE, use a spell checker or at least look over your post for typos before sending, it makes things so much easier to read.
