> Thanks again, but after trying this and numerous variations I still > can't make this work, and I've read plenty of other stuff that says to > do what you say, but no cigar :( Well there is no fundamental reason why it shouldn't work along those lines, most likely your other rules get in the way. I'd start by reducing the ruleset to the basics and then I'd readd rules till I'd find the culprit. > It's annoying and I'd like to get it working at the firewall. But for > now I think I'm going to take Robby's advice and have a look at split > views with Bind. This also does seem to be the recommended way to do it. NAT routers always hide some source addresses from at least one machine, otherwise they wouldn't be NAT routers ;) But sure, if you have a 1000 people behind your NAT router, NATing local requests to local services just for the sole reason of not having to use different names for services from the inside or a split DNS server might not be such a good idea. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html