> > > > iptables -t nat -I POSTROUTING -p udp -s 192.168.0.1 --sport 53 -j > > > > SNAT --to-source 200.200.200.1:53 > > > I don't know if dns traffic is always sent *from* 53/udp, but I do > > > know it is always sent *to* 53/udp. > > Not *always* :-) Sometimes it goes to 53/tcp... > I think that the DNS traffic goes only on 53/tcp when transfering > zones, and it uses the 53/udp for the queries. > > Also, if you use the BIND implementation of the DNS server, you > can specify the source port, so the traffic can go from > 53/udp to 53/udp Of course you're right. Anyway, I interpret the original question as how to SNAT normal dns traffic because the rule he wrote was using the udp protocol for *source* port 53/udp, which doesn't have to match *all* dns traffic (if it does). That's why I mentioned that I don't know if dns traffic always come *from* port 53/udp (here it doesn't ; it uses some port above 1024), but I do know it's going *to* port 53/udp. Rob
