Patrick Wow, were getting into the deep nitty gritty now!...
> The "nat" table is NOT consulted for "second or more" > packet of an existing conntrack. I needed to sit down and get a glass of water for this one. This is one to lose sleep over.... I thought /ALL/ packets first went thru -t nat PREROUTING and then -t filter and then -t nat POSTROUTING. "of an existing conntrack" seems to be the same as an ESTABLISHED packet.... *If I did not explicitly allow ESTABLISHED & RELATED packets thru FORWARD chain then how can they pass?!?* It almost seems like there is some hard coded ACCEPT rules implied in iptables that you can't turn off!?!??? Is this correct to summarize? 0. conntrack = ESTABLISHED 1. ESTABLISHED packets don't have to deal with -t nat table. 2. Somehow I don't have to ACCEPT these ESTABLISHED packets for them to go thru?!?!? Chris -- _______________________________________ Dr. Christian Seberino SPAWAR Systems Center San Diego Code 2363 53560 Hull Street San Diego, CA 92152-5001 U.S.A. Phone: (619) 553-7940 Fax: (619) 553-2836 Email: [EMAIL PROTECTED] _______________________________________
