On Monday 11 November 2002 11:41 pm, alex wrote: > On Sat, 2002-11-09 at 14:55, Simon Kowallik wrote: > > Perhaps this helps to better understand the "flow": > > http://offlineprovider.de/site/netfilter/netfilter.php > > > > Regards, > > Simon > > If I'm understanding the diagram correctly that might explain my > problems. Am I to understand that all packets on a NAT'ed connection > never go through the FORWARD chain of filter? No, that is not correct. ALL packets which get routed through a netfilter box go through the FORWARD filter chain. Packets coming in to a netfilter box (and either terminating there, or going through it to some other destination) go through the PREROUTING nat table. Packets leaving a netfilter box (whether they came through it from somewhere else, or originated on the box) go through the POSTROUTING nat table. The only thing which normally catches people out is that reply packets which are part of a NATted connection do not go through the rules in the nat tables - they get "automagically reverse NATted" in the correct way to match the NAT of the original packets (to which these are replies), which *was* done by a rule in the tables. Basically what I'm saying is that you only need to specify nat rules for the first packet in a connection - you don't need to worry about writing your own rule to nat the reply. Hope this helps. Antony. -- I vote "no" to this proposal to form a committee to investigate whether we should or should not hold a ballot on whether to vote yet.