> > I searched for "Destination nat" just to make sure I did not miss > something and it looks like what I have above. > > Thanks, > > jerry > Ok - I found out how to enable iptables logging. I can see a connection from 98.X on port 25 going to .58 as desired. Then we can see that the return is going out eth2 - and - it should be going out eth1 based on postrouting. May 17 10:30:10 mngateway kernel: IN=eth1 OUT=eth0 SRC=98.220.57.24 DST=192.168.1.58 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=17126 DF PROTO=TCP SPT=49060 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 May 17 10:30:10 mngateway kernel: IN=eth0 OUT=eth2 SRC=192.168.1.58 DST=98.220.57.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=25 DPT=49060 WINDOW=5792 RES=0x00 ACK SYN URGP=0 Everything on eth2 is working as needed. Incoming gets correctly pre-routed and outgoing gets correctly post-routed. Its just eth1 that is not correctly post-routing. What have I "uncorrectly configured" so return packets that connect on eth1 go back out eth1? below are my config lines again. Jerry ------------- eth0 is internal eth1 is 74.X network eth2 is 24.X network INTERFACE="eth1" MYIP="74.223.8.179" GWIP="192.168.1.1" # setup port 22 iptables -t nat -A PREROUTING -i $INTERFACE -p tcp -d $MYIP --dport 22 -j DNAT --to 192.168.1.58:22 iptables -t nat -A POSTROUTING -o $INTERFACE -d 192.168.1.58 -j SNAT --to $GWIP # Setup the port for sendmail iptables -t nat -A PREROUTING -i $INTERFACE -p tcp -d $MYIP --dport 25 -j DNAT --to 192.168.1.58:25 iptables -t nat -A POSTROUTING -o $INTERFACE -d 192.168.1.58 -j SNAT --to $GWIP route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2