Forget the part about tcpdump, I rebooted the machine and the default route was reset to host2. It seems I was right. As you can see packets is output through eth2 with an internal ip even with the MASQUERADE rule... # tcpdump -i eth2 icmp listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes 01:25:50.114069 IP 10.22.2.4 > mutu.nuxit.net: ICMP echo request, id 247, seq 0, length 64 01:25:51.113813 IP 10.22.2.4 > mutu.nuxit.net: ICMP echo request, id 247, seq 1, length 64 but with host2 as default route it'ok : # tcpdump -i eth2 icmp listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes 01:54:12.666919 IP 8X.242.21.225 > janus-2-20.x-echo.com: ICMP echo request, id 250, seq 0, length 64 01:54:12.719119 IP janus-2-20.x-echo.com > 8X.242.21.225: ICMP echo reply, id 250, seq 0, length 64 01:54:13.666751 IP 8X.242.21.225 > janus-2-20.x-echo.com: ICMP echo request, id 250, seq 1, length 64 01:54:13.706618 IP janus-2-20.x-echo.com > 8X.242.21.225: ICMP echo reply, id 250, seq 1, length 64 This confirm that the packets didn't get through the NAT-POSTROUTING chain. So, why ? Thanks - Michel
