Here is the situation: I have 2 subnets with real addresses and one with local (fake, 10.x.x.x). So for local ones i do nat''ing to one real address. When i had only one "real" subnet i could settle with : iptables -t nat -A POSTROUTING -s ! realnet1/mask -j SNAT --to ipaddr-nat so, right now, when i have two i have to do something like: iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -o eth1 -j SNAT --to ipaddr-nat eth1 is link trough wich nat''ed ip''s go out. Q: Is this ok? My concern is about messages like this: 64 bytes from realipaddr2: icmp_seq=1 ttl=255 time=246 usec From gw (10.0.0.1): Redirect Host(New nexthop: realipaddr2)