Hi all, I setup a server with 2 virtual machines (kvm) using libvirt. Public interface is eth0, virbr1 being the VM interface with IP 10.1.70.1. My goal is to send external traffic smtp and http to one VM in tcp (10.1.70.13). The other VM (10.1.70.11) -Asterisk server- should receive IAX, SIP and RTP in udp. I can ping VMs from the host. With iptables and DNAT everything is working like I want, the only problem is that source IP is the one from my vibr1 10.1.70.1 and not the origine source one. People from netfilter told me I should give a try to tproxy, that's what I'm trying to setup. Context: Debian Lenny with kernel 2.6.30 and iptables 1.4.4 from backports. tproxy modules are loaded. Applied rules is sudo iptables -t mangle -A PREROUTING -p tcp -d <public IP> --dport 25 -j TPROXY --on-port 25 --on-ip 10.1.70.13 --tproxy-mark 254 The mark 254 is lookup main 0: from all lookup local 32759: from all to 10.1.0.0/16 lookup main 32760: from all to 10.100.0.0/16 lookup main 32761: from all to 10.99.4.0/16 lookup main 32762: from all fwmark 0xca lookup isp2 32763: from all fwmark 0xc9 lookup isp1 32764: from 91.137.30.70 lookup isp1 32765: from all to 0.0.0.0 lookup main 32766: from all lookup main 32767: from all lookup default From the host I can telnet port 25 of VM $ telnet 10.1.70.13 25 Trying 10.1.70.13... Connected to 10.1.70.13. Escape character is '^]'. 220 xxx.xxx.xxx.xxx ESMTP Postfix (Debian/GNU) ^] telnet> quit Connection closed. but I can't telnet the public IP from the host or from outside :-( A tshark running on the VM shows no incoming traffic, problem is on the host. The following iptables rules are the one I use for DNAT and which are working: $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d <public IP> --dport 25 -j DNAT --to 10.1.70.13 $IPTABLES -A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT What am I missing? Can tproxy do what I want? Thanks for any hint. Regards -- Daniel