Hi, > I guess this won't work because if you connection is established it will be stored in a TCP State table which is used for filtering and forwarding. > If you connection already exists it makes no sense to check it against all rules from the ruleset. > > UDP doesn't have a statetable (cuz it's stateless) and that is the reason why this works. Thank you very much, that explains a lot. Is there any way to force TCP packets through the NAT-filter without writing a module? I have found out that it sort of works using conntrack -F and rules, but that is so ugly that I really wish I hadn't found the solution :) I know this violates more or less every TCP principle, but the reason I want to do this is because the receiver is multihomed as well. So my plan is to intelligently stripe data over the links and do it transparent to the application. -Kristian -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html