Hi, On RHEL 5.5, I set up iptables rules for forwarding ports to some of my virtual machines. For example. iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3380 -j DNAT --to-destination 192.168.123.2:3389 iptables -I FORWARD -d 192.168.123.2 -i eth0 -p tcp -m tcp --dport 3389 -m state --state NEW -j ACCEPT These worked fine, and I saved them with 'service iptables save'. However, upon rebooting the server the forwarding no longer works. When I inspect the configuration with 'iptables -L', I see that the rules libvirt creates were inserted before the rules from /etc/sysconfig/iptables. Since the rules from libvirt include one that rejects any new connections, the data I want forwarded is dropped. For example, target prot opt in out source destination ACCEPT all -- any virbr1 anywhere 192.168.123.0/24 state RELATED,ESTABLISHED ACCEPT all -- virbr1 any 192.168.123.0/24 anywhere ACCEPT all -- virbr1 virbr1 anywhere anywhere REJECT all -- any virbr1 anywhere anywhere reject-with icmp-port-unreachable REJECT all -- virbr1 any anywhere anywhere reject-with icmp-port-unreachable ACCEPT tcp -- eth0 any anywhere 192.168.123.2 tcp dpt:ms-wbt-server state NEW How should I configure iptables so that my rules and libvirt's play nicely? Basically I need my ACCEPTs to end up before libvirt's REJECTs. I looked through the list archives and libvirt documentation but did not see an answer to this question. -- Brian Pitts Systems Administrator | EuPathDB Bioinformatics Resource Center 706-542-1447 | bdp(a)uga.edu | http://eupathdb.org