I have now had a chance to exercise this new iptable rule, and it has worked out well. I no longer see the strange error message. It is unfortunate that nobody seems to know why this message is there, or really what it means. However, I'm past the message now and I'm happy with the solution that Mart provided. Many thanks to all. -Frank ---------------------------------------- > Hot diggity! Thanks Mart. > > This seems to be the solution. > > I replaced the nat rule: > > -A sendtolocal -d 10.1.2.3 -j DNAT --to-destination 127.0.0.1 > > > with: > > -A sendtolocal -d 10.1.2.3 -j REDIRECT > > > and that did it. WooHoo! It seems so simple now. Why didn't I find that? :) > > I'll experiment some more with this approach and then try it with our live system. I'll report back with the final verdict. > > > FYI: I tried this on an older Linux box too (with iptables v1.2.8) and found that it automatically SNATed the packet to 127.0.0.1. However on my newer box (with iptables v1.3.5), it didn't SNAT the packet. Its source remained the external interface of the box. Interesting... > > > Thanks, > > -Frank > > >> >> I'm not 100% sure, but maybe the REDIRECT target is of use for that >> particular case: >> >> from `man iptables': >> >> REDIRECT >> This target is only valid in the nat table, in the >> PREROUTING and OUTPUT chains, and user-defined chains which are only >> called from those chains. It >> redirects the packet to the machine itself by changing the >> destination IP to the primary address of the incoming interface >> (locally-generated packets are >> mapped to the 127.0.0.1 address). It takes one option: >> >> --to-ports port[-port] >> This specifies a destination port or range of ports to >> use: without this, the destination port is never altered. This is only >> valid if the rule >> also specifies -p tcp or -p udp. >> >> >> Greets >> >> Mart _________________________________________________________________ Rediscover Hotmail®: Get quick friend updates right in your inbox. http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Updates2_042009-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html