On Sun, 24 Feb 2002, byte wrote: > But I want to know why it need BOTH SNAT and DNAT for such mapping..
...to force packet get back through NAT_box [to remap again from 1.4 to 1.1]. If SNAT isn't done then 1.4 reply direct to clent which will be surprised becouse he did connection to 1.1 ;) When DNAT isn't done through 1 interface but passes NAT_box [to another interface that is more popular ;)] than You don't need to do SNAT, all job is done by conntrack/nat then reply returns. [I suppose again ;)] This issue is covered in some documentation on netfilter website AFAIR. > >> -A PREROUTING -p tcp --dport 80 -d 192.168.1.1 -j DNAT --to > >> 192.168.1.4 > > > >....and also add SNAT to 192.168.1.1 rule in postrouting. tw -- ---------------- ck.eter.tym.pl
