What you've missed is that tcpdump and other utilities work on different layers and if I'm not wrong (hopefully not) it's seeing the packets before the SNAT. Also, better to use MASQUERADE rather than SNAT for workstation access to the internet. Thanks, ____________________________________________ George Vieira Systems Manager georgev@xxxxxxxxxxxxxxxxxxxxxx Citadel Computer Systems Pty Ltd http://www.citadelcomputer.com.au -----Original Message----- From: Martin Djernaes [mailto:martin@xxxxxxxxxxx] Sent: Friday, August 08, 2003 12:15 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: (newbie) SNAT woes Hi, I realise that you have seen mails like mine lots of time before, but I have spend hours reading howtos and googling for some hint as to why my very simple setup doesn't work. I have a simple box which just is suppose to do normal NATing of outgoing traffic so it uses the public IP address. I thought that I had it all setup right (that was at least what I understood from everything I read), so here is my nat table: # iptables -t nat -v -L Chain PREROUTING (policy ACCEPT 1774 packets, 193K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1443 packets, 77156 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- any eth1 anywhere anywhere to:11.22.33.44 Chain OUTPUT (policy ACCEPT 317 packets, 23092 bytes) pkts bytes target prot opt in out source destination Now if I ping an external IP address from another box on the "inside" and run "tcpdump -ni eth1" on the gateway box, I will see the source address being unchanged! (and I don't get an icmp echo reply back). So what did I miss? Isn't it just a oneliner to turn SNAT on? Martin
