10 Dec
2001
10 Dec
'01
12:22
What am I doing wrong?
I'm not sure. It's not the arp or DNAT, IMHO, since I just recreated your scenario and it works fine. However, a while back you said that you were also SNATing in the POSTROUTING chain from Internet to DMZ. I didn't do that, I'm just doing plain old routing. Can you see the packets on the DMZ subnet? Incidentally, I don't know if this matters at all, but when I tcpdumped eth0 for dst port 80, I didn't see the pre-DNAT IP address at all, only the DNATed one.. HTH Tobias