John A. Sullivan III wrote: > I do not believe that is necessarily true. I'm not the expert but I > believe that if all you want is inbound access, connection tracking > will take care of the source alteration. You would only need SNAT if > you wanted to originate outbound packets with the altered source. > Someone please correct me if I am wrong - John If the default route does not route back through the Linux server, you are required to SNAT the packet back to thye firewall's address basically forcing the respondee to keep the firewall in-the-loop so to speak. Netfilter will NOT allow a one way stream into the system since the second packet sent by the client (ACK) is marked as INVALID by the state machine since it never received a SYNACK in response to the initial packet.
