You're right, I think...basically what you seem to want is DNAT to variable IP addresses based on information in the protocol being transmitted...certainly not exactly simple.
(If all you wanted was to send all connections on port X to host Y without modifying the way connections on port X work from the proxy box, you could of course just do something like iptables -t nat -A PREROUTING -i !$PROXY_IF -p tcp --sport $X -j DNAT --to $Y iptables -t nat -A PREROUTING -s !$PROXY_IF -p udp --sport $X -j DNAT --to $Y The proxy box's return traffic will _automatically_ be retransmitted to the source, since DNAT doesn't modify the source IP address. But you probably already knew all of this.) If I'm understanding you correctly, and I'm not sure that I am, since I know very little about real routers and nothing about what a dot1q VLAN is, what you want is, for every DNAT'd connection from port X to server Y, you want to automatically generate a return connection from Y to X. What you need to do is write, or have someone write, a conntrack helper for this protocol - conntrack helpers have dynamic access to the connection tracking tables, and can easily add and remove single connections unrelated to existing ones; just adding a 'connection' entry a priori will almost certainly work for UDP traffic, especially if you don't really need to modify any of the data inside(ie, the server you're DNATting it to handles all the protocol issues, etc.). For TCP traffic, you might have to monitor for the incoming connection-initiating packet for the reversed connection and modify that before the routing code gets ahold of it, or modify it and the connection entry it creates afterward...this may not be as simple. (This is because for TCP, even though the kernel may already have an established connection for a certain port/host setup, I'm not sure whether it will accept that for a new SYN coming in. I could be wrong there, in which case TCP might 'just work' as well.) I hope this has been at least a little bit helpful. iptables can do what you want, but what you want probably shouldn't be so much a default feature as a specific module to support your protocol; as such, it deserves implementation as a kernel-module of some sort. I've suggested using a conntrack helper, because if you can get away with it, it'd be the simplest thing. New NAT targets and userspace packet queueing are also possibilities to look into. Good luck, -EtherMage
