> That's because the DNAT target does not return to the chain. The LOG > target is almost the only target I can think of which *does* return back to > the chain for further processing - all other targets are the "final > outcome" for the packet. > > Put the two rules the other way round and you'll get both LOGging and > DNATting. Thanks, I have been missed that. Now I can ask my question in other words: I presume, that http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png is correct. According to this picture, my packets should flow in lowest path. To be sure it is so, I have made rules to log incoming packet in 3 points: a)iptables nat table prerouting chain b)ebtables filter table forward chain c)iptables mangle table forward chain d)ebtables filter table input chain I try to connect fron Internet to aaa.aaa.aaa.12 In case of rule: iptables -t nat -A PREROUTING -d aaa.aaa.aaa.12 -j DNAT --to-dest aaa.aaa.aaa.13 I see packet only in point a) In case of no rule or rule iptables -t nat -A PREROUTING -d aaa.aaa.aaa.12 -j DNAT --to-dest aaa.aaa.aaa.12 I see packet in a), b) and c) points. I see also packet in a), b) and c) points if I connect from internet to aaa.aaa.aaa.13 It's just like DNAT rule drops packet, but it can't be, because DNAT to the same address works fine. I know I have missed something important, but what could it be? Raido
