Sorry, I can't understand your english explanation. When the packets come in off the internet it hit the EXTernal DEVice which the PREROUTING table converts the EXTernal DESTination address to the INTernal DEVices DESTination servers IP address.. EXTDEV=eth0 DESTIP=203.x.x.x.x INTIP=192.168.0.1 iptables -A PREROUTING -t nat -i $EXTDEV -d $DESTIP -p tcp --dport 80 -j DNAT --to $INTIP it changes it at the PREROUTING because the routing table won't know where 203.x.x.x is, but if it's changed before routing then routing will know that 192.168.0.1 is inside on eth1 and pass through the FORWARD chain and out via eth1. Having said that, going out is the same thing except it's POSTROUTING. So 192.168.0.1 responds to the packet and goes into eth1 which then passes through FORWARD and into POSTROUTING which then says "hey 192.168.0.1 can't go out onto the net like that" and translates it to the IP which matches the ip_conntrack table that the original packets wanted to reach ie. $DESTIP this makes perfect sense.. If you can detail what your problem is a bit like about it'll help me more to help you.. ;) I hope the above didn't bore you either.. ;)) -----Original Message----- From: Tim Saunders [mailto:Tim.Saunders@xxxxxxxxxxxxxx] Sent: Fri 23-May-03 5:49 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Cc: Subject: RE: UnNATing return packets
