Hello Jan, Monday, January 29, 2007, 2:24:47 PM, you wrote: >>iptables -t nat -A POSTROUTING -o eth2 -j SNAT -s 10.0.0.0/16 --to-source 217.221.234.74 JE> Make sure there are no other terminating rules in POSTROUTING that could stop a JE> packet from reaching this SNAT rule. No, the snat rule is the FIRST in the postrouting chain. Also I have noticed that maybe i was wrong... I mean, the issue is not with the SNAT rule, but with a redirect in PREROUTING. I have noticed now that all of the packets that are not SNATed are FIN, ACK or RST,ACK packets that go to port 80 on the remote host. I have just remembered that I have a PREROUTING rule (the first in the chain) that does a REDIRECT to a local proxy, like this: iptables -t nat -A PREROUTING -i eth0 -m state --state new -p tcp --dport 80 -j REDIRECT --to-port 8080 Now, this means that (I forgot it even if I have configured it) there should be NO web traffic to be SNATed, because all of the connections to port 80 go through the proxy. So, it seems that somehow is the PREROUTING that fails to catch the packets, does not REDIRECT them to the local proxy, and these packets go out of the WAN interface, where no connection tracking status is registered for these packets that do not belong to a SNATed connection... and this is why they do not get SNATed. So the new question is: why does the REDIRECT rule in prerouting miss some packets? And why always FIN packets? Thanks again. -- Fabio "Kurgan" Muzzi
