Hi everybody... On Wed, 2004-07-07 at 22:54, Antony Stone wrote: > And, to answer your question about how to avoid NATting certain types of > packets, the answer is to put an ACCEPT rule in your PREROUTING or > POSTROUTING chain, before the SNAT or DNAT rule which would otherwise nat > them. > > For example: > > iptables -A PREROUTING -t nat -p 50 -j ACCEPT > iptables -A PREROUTING -t nat -d a.b.c.d -j DNAT --to w.x.y.z > > These rules will DNAT all packets originally addressed to a.b.c.d and send > them to w.x.y.z instead, *unless* they are protocol 50, in which case they > won't get NATted. I tried to work with that, but failed to produce the desired results, which were to enable IPSec transport mode packets to pass through the firewall not being NATed. I put these rules at the beginning of the PREROUTING Chain: iptables -A PREROUTING -t nat -p 50 -j ACCEPT iptables -A PREROUTING -t nat -p 51 -j ACCEPT Got anyone any ideas? What should the ips and routing tables look like? Thanks and sorry for asking a possibly silly question... I am quite new to this matter! Regards, Rainer