What am I doing wrong?
I'm not sure. It's not the arp or DNAT, IMHO, since I just recreated your scenario and it works fine.
However, a while back you said that you were also SNATing in the POSTROUTING chain from Internet to DMZ. I didn't do that, I'm just doing plain old routing. Can you see the packets on the DMZ subnet?
Nope, you were right back then too, SNAT was not needed. tcpdump -n -i eth1 src or dst 192.168.1.3 doesn't give me any output other than the tcpdump header.
OK, so just for the record, here's what I did: Router: ifconfig eth0 192.168.1.42 netmask 255.255.255.0 broadcast 192.168.1.255 up ifconfig eth0:0 192.168.1.40 netmask 255.255.255.0 broadcast 192.168.1.255 up ifconfig eth1 192.168.72.254 netmask 255.255.255.0 broadcast 192.168.72.255 up iptables -t nat -A PREROUTING -p tcp -d 192.168.1.40 --dport 80 -j LOG iptables -t nat -A PREROUTING -p tcp -d 192.168.1.40 --dport 80 -j DNAT \ --to 192.168.72.4:80 'Hidden' Server: ifconfig eth0 192.168.72.4 netmask 255.255.255.0 broadcast 192.168.72.255 up route add default 192.168.72.254 (There may be a 'gw' missing in that route statement, I'm too lazy to consult the man page right now). Then, I could access the SuSE default web server page on 192.168.10.40 or rather 192.168.72.4. HTH Tobias