I'd be tempted just to use something like Shorewall... it makes this stuff a whole pile easier unless you're doing something particularly clever. Its available in most distros, and the docs are good. http://www.shorewall.net/ Rob :)