Hi Federico, > I think the problem is in the destination IP address, you have to use the > external IP, so i think the rule should be: > > iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 211.1.1.10 > --dport 80 -j SNAT --to 192.168.1.1 I don't think that's true in this case. As far as I know, after the destination address has been rewritten in PREROUTING, all subsequent hooks (FORWARD and POSTROUTING) will see the new destination address, not the original. But please correct me if I'm wrong. [By the way, you sent your reply to me, not to Rio or the Netfilter list.] Cheers, Chris. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |