In researching a rather long reply directly to Louie Miranda on this, (with no answers, just many debugging suggestions) I enabled full logging of all packets, with a DNAT from my firewall's external IP to a LAN IP, then telnetted to that IP from the firewall machine. iptables v1.2.5, RedHat 7.3 'stock' kernel. The resulting logs surprised me. The initial packet followed this route through the firewall chains: mangle-OUTPUT nat-OUTPUT filter-OUTPUT mangle-POSTROUTING nat-POSTROUTING out on lo and back mangle-PREROUTING mangle-INPUT filter-INPUT skipping nat-PREROUTING. Subsequent packets in the connection (successful telnet to myself :^) skipped ALL nat table rules. Does netfilter normally skip NAT chains entirely when lo is involved? I would have expected at least the initial packet to hit every chain. (well, not FORWARD since the DNAT never took place...) j
