Hello again, > If I've got it right you are trying to do DNAT. The problem was that > everything was not being traced by conntrack, this is what you've > already fixed. Yes, I'm trying to do some DNAT, but still got a long way to go. > Next, as you've told in further message nothing block that traffic in -t > filter, that's good. > > Next, show as the actual DNAT rules and check the counters encrease as > you trying to connect. > > You can also check whether the connection is actually being tracked by > analizing output of "conntrack -L" or "conntrack -E" The problem is that I'm stuck at step.1 - excluding items from NOTRACK. As soon as I add rules with RETURN in raw table, packets are dropped somewhere. To reproduce: I've got a host, which connects with lynx to any website. In router there no DROP rules in FORWARD and single line in raw table: /sbin/iptables -t raw -A PREROUTING -j NOTRACK Host connects to any remote host port 80. As soon as I add two lines with -j RETURN in raw table (so the entries are tracked) I experience the same effect as I've added -j DROP: /sbin/iptables -t raw -I PREROUTING -p tcp -s host.ip --dport 80 -j RETURN /sbin/iptables -t raw -I PREROUTING -p tcp -d host.ip --sport 80 -j RETURN are acting as I've made these rules: /sbin/iptables -t raw -I PREROUTING -p tcp -s host.ip --dport 80 -j DROP /sbin/iptables -t raw -I PREROUTING -p tcp -d host.ip --sport 80 -j DROP I've tried replacing RETURN with ACCEPT with same results. As soon as I remove those 2 rules, host.ip can connect to remote 80 port. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html