I have the following rules on a Linux server, to route packets from LAN node 10.0.1.8 (a Windows machine) destined for 192.168.173.93 to 1.2.3.4 and vice versa: iptables -t nat -I PREROUTING -i br0 -s 10.0.1.8 -d 192.168.173.93 -j DNAT --to-destination 1.2.3.4 iptables -t nat -I POSTROUTING -o br0 -s 10.0.1.8 -d 1.2.3.4 -j SNAT --to-source 10.0.1.4 This works in general, but trace routes get fouled up due to the SNAT rule above, for whatever reason, being applied to the source address (the address of a hop) of *ICMP time exceeded in-transit* packets. Is there a way to prevent this, so that the IP of the hop isn't changed to 192.168.173.93 (which results in each hop line showing that ip, when running `tracert 192.168.173.93` from 10.0.1.8, though with the correct pings)? I ran the following trace: iptables -t raw -I PREROUTING -p icmp --icmp-type any -j TRACE This is what each *ICMP time exceeded in-transit* section looks like in the TRACE log (formatted for readability/email): Nov 13 15:03:23 linux kernel: TRACE: raw:PREROUTING:policy:2 IN=br0 OUT= MAC=Linux-br0(eth0)-MAC:Router-MAC:08:00 SRC=IP-of-HOP DST=10.0.1.4 LEN=56 TOS=0x00 PREC=0x00 TTL=244 ID=57128 PROTO=ICMP TYPE=11 CODE=0 [ SRC=10.0.1.4 DST=1.2.3.4 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=57128 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43011 ] Nov 13 15:03:23 linux kernel: TRACE: mangle:PREROUTING:policy:1 IN=br0 OUT= MAC=Linux-br0(eth0)-MAC:Router-MAC:08:00 SRC=IP-of-HOP DST=10.0.1.4 LEN=56 TOS=0x00 PREC=0x00 TTL=244 ID=57128 PROTO=ICMP TYPE=11 CODE=0 [ SRC=10.0.1.4 DST=1.2.3.4 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=57128 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43011 ] Nov 13 15:03:23 linux kernel: TRACE: mangle:FORWARD:policy:1 IN=br0 OUT=br0 MAC=Linux-br0(eth0)-MAC:Router-MAC:08:00 SRC=IP-of-HOP DST=10.0.1.8 LEN=56 TOS=0x00 PREC=0x00 TTL=243 ID=57128 PROTO=ICMP TYPE=11 CODE=0 [ SRC=10.0.1.8 DST=1.2.3.4 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=57128 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43011 ] Nov 13 15:03:23 linux kernel: TRACE: filter:FORWARD:policy:1 IN=br0 OUT=br0 MAC=Linux-br0(eth0)-MAC:Router-MAC:08:00 SRC=IP-of-HOP DST=10.0.1.8 LEN=56 TOS=0x00 PREC=0x00 TTL=243 ID=57128 PROTO=ICMP TYPE=11 CODE=0 [ SRC=10.0.1.8 DST=1.2.3.4 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=57128 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43011 ] Nov 13 15:03:23 linux kernel: TRACE: mangle:POSTROUTING:policy:1 IN= OUT=br0 (no MAC) SRC=IP-of-HOP DST=10.0.1.8 LEN=56 TOS=0x00 PREC=0x00 TTL=243 ID=57128 PROTO=ICMP TYPE=11 CODE=0 [ SRC=10.0.1.8 DST=1.2.3.4 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=57128 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43011 ] Or see here: https://gist.github.com/gordon-fish/4ffe50798acdd7b4a97bfb52cff6ac68 I don't see that the source address is being changed in the normal flow at all; it's not even hitting the *nat* table, just *raw*, *mangle*, and *filter* tables, so I assume it's being done by conntrack. I'd really like to prevent that, when it comes to *ICMP time exceeded in-transit* responses, as my rules were only intended to translate just 192.168.173.93 to 1.2.3.4 and back. Is there any way to accomplish this? Thanks, -- gordonfish