Hi, i've got a small problem that i'm trying to clarify: We currently have access to a small satellite range of ip addresses, that are routed via the satellite for incoming data only (outgoing packets must leave via conventional means). This basically yields an assymetric route, that leaves via isdn, and comes back in via satellite. My problem is this: We have an internal office network, a DMZ (with a machine that has the satellite card) and a DSL connection (as well as the isdn connection), thus: (bad ascii art warning alert) | SAT | internet (incoming) \-----/ adsl-internet | internet (outgoing) | ppp0 ------- | -------- |linux| --------- eth1 |linux | | sat | | isdn r| -------| ADSL | ------- --------- | -------- | | DMZ network | |eth0 -------------------------------------- | internal office basically, what i'm looking at acheiving, is $IPT -t nat -A POSTROUTING -o $ETH_EXT --src $NET_INT --dst $NET_EXT -j SNAT --to-source $IP_SNAT_SAT where $NET_INT is the ip address range in the internal office, NET_EXT is 0/0 (effectively), ETH_EXT is the adsl interface (ppp0 in this case), and IP_SNAT_SAT is an ip address that gets routed IN through the satellite, and sent to eth1, connected to the DMZ. the SNAT is being done by the linux ADSL machine, running a 2.4.18 kernel with netfilter. when i try to do this, it appears that the linux netfilter box NATs the packet properly when going out ppp0, but doesn't recognise the packet as part of an existing connection when it comes back in via eth1. the NAT box definently should be seeing packets going both ways (it's the only route into the internal network) and i can ssh TO the linux adsl router using it's assigned satellite address without any problems so i know the adsl network is forwarding the satellite-sourced packets. if i SNAT it with an ip address that goes bothways over the ADSL link (still an ip on eth1 however), then it works fine. basically, i'm asking: is assymetrical routing possible when natting the internal network, or am i going to have to bite the bullet, and use an extra machine to protect the internal network and provide NAT (which, as i'm well aware, is a better solution, but it's one extra machine for me to manage at this time). if theres a modification i can make to my ruleset to make it work properly (or a sysctl to set, i've tried turning off spoofing protection, to no avail) i'll be reasonably happy. Thanks Andrew Pilley