Hi, I have a linux system which is router between several subnets (each also a different segment), in total 3 different lans, 2 dmz, and 4 internet connections, my default FORWARD policy is DROP, here is a simplified example of my config with only two lan segments and internet connection: Allow forwarding between lans -A FORWARD -s lan1/mask -j ACCEPT -A FORWARD -d lan1/mask -j ACCEPT -A FORWARD -s lan2/mask -j ACCEPT -A FORWARD -d lan2/mask -j ACCEPT Are some of those redundant? Then I want to nat anything that is not to one of the local subnets (i.e. is going to internet), but the only way I can find to do that is to setup rules to avoid natting between subnets: -t nat -A POSTROUTING -s lan1/mask -d lan2/mask -j RETURN -t nat -A POSTROUTING -s lan2/mask -d lan1/mask -j RETURN And then a final rule to nat: -t nat -A POSTROUTING -s lan1/mask -j SNAT --to-source <lan.one.nat.ip> I used to have a rule like: -t nat -A POSTROUTING -s lan1/mask -o internet-eth -j MASQUERADE, and that worked because it only natted packets that were going to the internet, but now I am using Equal Cost MultiPath and when that doesn't work well with MASQUERADE, but it does work with SNAT, but with SNAT I cannot use a rule like that. Is there a better way to achieve what I desire? Thanks Andy JOSEDV001TAG _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc