If the DNATted machine is NOT the linux router that is doing the DNAT, you WILL need the SNAT rule too. If you dont use, DNATted machine will try to answer directly to the machine that requested the update. And that machine is not expecting anything from that IP. So, SNATting to linux router IP is needed if DNATting to a machine in the network. Sincerily, Leonardo Rodrigues ----- Original Message ----- From: "Dimitar Katerinski" <train@xxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Sunday, June 27, 2004 5:17 PM Subject: Re: transparent proxying NTP > Well if you think how transparent www proxy works, you may figure out how to do transparent ntp proxying. > The following rule should do the job: > iptables -t nat -A PREROUTING -i eth1 -s $LAN_SUBNET -p udp --dport 123 -j REDIRECT --to-ports 123 > also I think > iptables -t nat -A PREROUTING -i eth1 -s $LAN_SUBNET -p udp --dport 123 -j DNAT --to-destination 192.168.64.1:124 > might work, as I test it. You dont need the SNAT rule though. Test these and give feedback. >