OK, well the 10.23.4.209 machine is coming from a network that's not the 10.0.0.0/24 because of the netmask, and it is routed to the 10.0.0.254 via the eth0 device. This tells me there's 2+ networks on eth0 somewhere. The 10.23.4.209 would find the 10.0.0.1 machine quite fine with the DNAT rule, BUT machines that are on the 10.0.0.0/24 will NOT because the machine actually doesn't exist unless they have a host route or the firewall uses the ip addr add command.. but the 10.23.x.x would work fine as is... OK, did I get that clear now? if not, better draw something as this seems to simple to solve yet so much confusion ;) In the end, adding a second IP and still using he DNAT rule fixes all networks as far as I can see.. Thanks, ____________________________________________ George Vieira Systems Manager georgev@xxxxxxxxxxxxxxxxxxxxxx Citadel Computer Systems Pty Ltd http://www.citadelcomputer.com.au Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 -----Original Message----- From: Shawn [mailto:core@xxxxxxxxxx] Sent: Friday, June 20, 2003 1:13 PM To: Alistair@xxxxxxxxxx Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Is this correct?
