Ok, apologies for self stupidity are owed. I fell prey to the biggest blunder of them all: "The Obvious Mistake(tm)". DSL connection | dsl router (routeable ip) | linux box (private ip) | internal network (more private ip's) The dsl IP is the one I was attempting to route, but by the time the packet got to the linux box from the router, the routeable ip was already mangled to be the linux box ip. So as soon as I put the linux box ip into the rule, it worked great and just fine. Only problem is that since it goes through double mangling, by the time it gets sent back out to the router the dsl router doesn't know where it's supposed to go and loses the connection. So either way, I'm screwed since I've only got one IP. I need a larger block in order for this to work right. masquerading just won't cut it. Sorry for the headaches everyone. <EOL> Tib
