Thank you; I actually got this to work doing exactly what you mentioned. I went from masquerading to dnat & snat and it worked. My problem now is that when I have 2 clients connected via the same VPN I can only get the DISPLAY back to an individual client (which ever one is the source IP in the SNAT statement). Putting a range of I.P.'s (i.e. --to-source 192.168.10.50-192.168.10.70) doesn't give me any display back. I'm assuming I'm not connection or stream tracking. Jeff Hammond Customer Suppport 972 461 4152 -----Original Message----- From: Sietse van Zanen [mailto:sietse@xxxxxxxxx] Sent: Thursday, May 12, 2005 2:12 AM To: Hammond, Jeffrey Subject: RE: Passing X11 through IPTABLES NAT Hi, This is most likely due to the fact, that the X11 connection is opened in the other direction. You will need to do some SNAT back to your clients. It goes like this: Client telnets ---> Server Server X11 ---> Client. (In fact your clients runs the X11 server, and the server the X11 client). Greets. -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Hammond, Jeffrey Sent: 10 May 2005 14:20 To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Passing X11 through IPTABLES NAT All; I'm using IPTABLES to NAT various client LINUX boxes through a VPN server. I'm able to connect through the server, NAT the client and out the VPN connection successfully. Telnet is successful. However when I try to export the X display back to my client I receive 'Can't open Display <I.P.>' where the I.P. is that of the NAT'd client from the host, and see and 'invalid data' packet while sniffing on the client. I've tried DNATting X11 port 6000 packets back to the original I.P. with no success. Any help would be appreciated. Jeff Hammond
