Quoting Kirk Bocek <t004 at kbocek.com>: > Hmmm, I may be unclear on this. When doing DNAT, is the source IP > address of the traffic coming from firewall and going to the internal > host set to the internal address of the firewall? Or does it remain > the address of the outside host that initiated the traffic in the > first place. > > I always *assumed* (a bad thing) that it was the latter. Thus my > statement regarding the need for SNAT on the outbound traffic. You assumed right. However, Netfilter is smart enough to change source address on returning packet without explicit SNAT rule(s). As long as incomming and outgoing packets are going through same firewall (or unless you are doing something else funky within your firewall rules). You need explicit SNAT rules only if you want to make outgoing connections from the hosts on local network. Of course, if you want your internal hosts to see all connections as comming from the firewall, you can do SNAT too. For example, if they don't have default route set or something like that... On an example, it looks like this: External interface of firewall receives: SRC: 1.2.3.4 DST: 4.3.2.1 DNAT 4.3.2.1 -> 192.168.1.123 Internal interface of firewall transmits and destination host receives: SRC: 1.2.3.4 DST: 192.168.1.123 Destination host transmits and internal interface of firewall receives: SRC: 192.168.1.123 DST: 1.2.3.4 Firewall knows it was doing DNAT on this specific connection, and automatically rewrites source address. You do not need explicit SNAT rule for this: Automatic rewriting, no rules needed 192.168.1.123 -> 4.3.2.1 Firewall transmits on its external interface: SRC: 4.3.2.1 DST: 1.2.3.4 ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.