I have a LINUX box and several windows servers, all with two network cards, one connected to our internal network and one connected to the real internet (via an ADSL switching port). We do not have any masquerading /NAT enabled - nor ip forwardinng, nor socks proxies running. I changed the /etc/sysconfig/sysctl line with IP-FORWARD to state "yes" and resaved it. (Actually I think there is a misprint in the descriptions as it refers to this as ipv6 which should be the descriptor for the following parameter) I did echo 1 > /proc/sys/net/ipv4/ip_forward and checked by cat'ing' the same file that it had written 1. I changed the default gateway on a PC on my internal network from nothing to my linux box, and I could NOT ping anything on the external side. I restarted the LINUX box and then found I could ping the external address of my Windows servers but not the external address of anything else - which suggests to me that it is now forwarding the packets but the replies are coming back through the internal side of the window boxes rather than through the Linux box. Question 1: Why did I need to restart the LINUX box. The documentation states that I could either restart OR echo 1 to the proc/sys file. I now did iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 217.204.233.8 which is an unused address in real internet space. Eth1 is the external ethernet card with ip address 217.204.233.9 iptables -L fails to list anything but empty descriptors after issuing this command - when I rather expected it to show what I had entered. Question 2: Why does iptables not list this rule and Question 3: Why can I still not get echo replies from external ip addresses (except our servers). I suspect I am overlooking the obvious - and of course I lay open my ignorance in these matters for you to chuckle about as a reward for pointing me in the right direction (probably retirement!). -- Alan Davies Head of Computing Birkenhead School