On 20/01/2016 19:55, Steve Clark wrote: > > So I want traffic coming in eth5 with 10.10.0.x addresses to be source > natted to 192.168.100.3. > But my iptables nat statement never gets hit. > > Chain POSTROUTING (policy ACCEPT 172 packets, 31384 bytes) > pkts bytes target prot opt in out source > destination > 0 0 SNAT all -- * xbrdg0 0.0.0.0/0 > 0.0.0.0 to:192.168.100.3 > 29 1933 MASQUERADE all -- * tun+ 0.0.0.0/0 > 0.0.0.0/0 > > # ping -I 10.10.0.1 8.8.8.8 First you should try to match without SNAT at all with a simple log target and see if it matches. I would start with: iptables -t nat -I POSTROUTING -s 10.0.0.1 -o xbrdg0 -j LOG --log-prefix "Should-SNAT: " --log-level 4 And then: iptables -t nat -I POSTROUTING -s 10.0.0.1 -o xbrdg0 -j SNAT --to-source 192.168.100.3 And see what happens. Also there might be something about this bridge settings and it maybe needs the "-o eth1" but it would be a bit weird. Eliezer