On 2011-08-23 12:08, Ellad Yatsko wrote: > Main problem is DNAT does not work as I wait. It seems to me there is an > implicit additional > DNAT rule for SNAT, and because *my* DNAT rule does not work. May you show > me how it > could be "switched off"? :-) It's not an implicit rule. If either rule matches the FIRST time the traffic is seen, it will become an established connection. NAT will be applied to it in both directions. See the current list of tracked connections with: cat /proc/net/ip_conntrack Don't run that on a system with a lot of traffic. You'll get one line for each session. For 1000 sessions, that's manageable. For 500,000, it will block the terminal for a long time. Regards, Tyler -- "The map is not the territory." -- Alfred Korzybski -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
