I just encountered a linux/netfilter oddity. Simplified, I have FW_A with iface PUB to internet, another to internal LAN_1 and a third to LAN_2. Firewall rules on FW_A are properly set to: - NAT traffic to/from PUB, - block LAN_2 traffic from LAN_1 - allow LAN_1 traffic to LAN_2 - forward internet traffic to port 80 to SRVA_2 on LAN_2 On FW_A, in mangle:PREROUTING, XMARKs are set for traffic coming from LAN_1 and LAN_2. Example: iptables -A portfwb -d 192.0.2.77/32 -i LAN_1 \ -j MARK --set-xmark 0x1/0xffffffff Internet hosts access port 80 on SRVA_2. Hosts on LAN_1 access port 80 on SRVA_2 via the public IP. Even SRVA_2 can access itself (port 80) via the public IP. What *doesn't* work is FW_A accessing port 80 on SRVA_2. This traffic does not get NATted and appears on lo with the public address(es). And since nothing on FW_A listens to port 80, the connection is rejected. I *expected* locally-generate traffic to be NATted just like remote traffic. Questions: - Is lo ignored in PREROUTING? - Is it possible to DNAT local traffic on FW_A (changing) the public IP to the private IP on LAN_2? - Would I specify '-i lo' in mangle:PREROUTING and nat:PREROUTING (as I do for the real NICs)? The uber questions are: - Should I be able to DNAT and SNAT traffic on lo just as I can on other LANs, or do I need to take extra steps? - Is this a known oddity? or was it known back around Linux 3.16 and iptables 1.6? (Don't ask; sometimes we're stuck in a place we don't want to be.) Thanks, Neal