Hi, I am having a problem with the nat table configuration. I am using 2.6.8.1 kernel in a router and also added a http filter proxy which uses port 8080. Internet ------------ ROUTER(http filter proxy) ---------linux PC. lan ip: 192.168.1.1 192.168.1.2 I have found that if there is a established connection exist between linux PC and the webserver before I start the proxy, and added the iptables nat rules, which can be checked use netstat, the outgoing http packet will not be passed to the proxy, and it seems go out directly. If I leave it untouched (no http activity), and after some time later, that connection is gone, the outgoing http packet will be passed to the proxy again. Any one know how to solve this problem? Thanks. Yong Here is the iptables configure: 1. only the one in nat PREROUTING REDIRECT are for the proxy) 2. ppp0 is wan interface br0 is lan interface. PC is attached to br0. # iptables -L -v Chain INPUT (policy ACCEPT 3574 packets, 11M bytes) pkts bytes target prot opt in out source destination 22 7554 ACCEPT all -- ppp0 any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT udp -- ppp0 any anywhere anywhere udp dpt:500 0 0 ACCEPT esp -- ppp0 any anywhere anywhere 0 0 ACCEPT !esp -- ppp0 any anywhere anywhere MARK match 0x10000000/0x10000000 0 0 LOG tcp -- ppp0 any anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst 5 LOG level alert prefix `Intrusion -> ' 0 0 DROP all -- ppp0 any anywhere anywhere Chain FORWARD (policy ACCEPT 43 packets, 13943 bytes) pkts bytes target prot opt in out source destination 37 15118 ACCEPT all -- ppp0 any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT !esp -- ppp0 any anywhere anywhere MARK match 0x10000000/0x10000000 0 0 LOG tcp -- ppp0 any anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst 5 LOG level alert prefix `Intrusion -> ' 0 0 DROP all -- ppp0 any anywhere anywhere Chain OUTPUT (policy ACCEPT 3456 packets, 11M bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- any ppp0 anywhere 239.255.255.250 # iptables -t nat -L -v Chain PREROUTING (policy ACCEPT 84 packets, 5865 bytes) pkts bytes target prot opt in out source destination 2 120 REDIRECT tcp -- br0 any anywhere !192.168.1.1 tcp dpt:www redir ports 8080 2 118 DNAT udp -- br0 any anywhere 192.168.1.1 udp dpt:domain to:10.250.1.10 Chain POSTROUTING (policy ACCEPT 28 packets, 1822 bytes) pkts bytes target prot opt in out source destination 3 178 MASQUERADE all -- any ppp0 192.168.1.0/24 anywhere Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination #