Thank you! It *is* an oddity; but it's the nature of the beast. Added two rules and it works. Cheers 'n' beers! Neal On Wed, 1 May 2024 01:03:28 +0200 (CEST) Sven-Haegar Koch <haegar@xxxxxxxxx> wrote: > On Tue, 30 Apr 2024, imnozi@xxxxxxxxx wrote: > > > Questions: > > - Is lo ignored in PREROUTING? > > - Is it possible to DNAT local traffic on FW_A (changing) the public IP to > > the private IP on LAN_2? > > - Would I specify '-i lo' in mangle:PREROUTING and nat:PREROUTING (as I do > > for the real NICs)? > > > > The uber questions are: > > - Should I be able to DNAT and SNAT traffic on lo just as I can on other > > LANs, or do I need to take extra steps? > > Locally generated traffic does not pass nat PREROUTING chain - you need > to add matching DNAT rules to the nat OUTPUT chain if you want dnat > rewriting applied to it. > > And similar traffic targetting the local system (after DNAT) does not > pass POSTROUTING, if you want such traffic SNAT'ed you need to use the > nat INPUT chain. > > > - Is this a known oddity? or was it known back around Linux 3.16 and > > iptables 1.6? (Don't ask; sometimes we're stuck in a place we don't > > want to be.) > > c'ya > sven-haegar >