There's a much simpler solution than using NAT or a firewall.. Run your khttpd on any port other than port 80. Those viruses are only looking for HTTP servers on port 80. There's a hijack option like khttpd_port or something. It's a tiny bit of a pain to add a port number to your URL's but it's worth it.