I recently upgraded our firewall from an older 2.4.2 kernel to the most recent 2.4.14, and the iptables binaries from 1.2.1a to 1.2.4. Or rather, I *tried* to upgrade; something have very muched changed and my old firewall rules don''t seem to work anymore. One symptom I''ve noticed seems to be that packets which match an ACCEPT rule in the OUTPUT chain are still being tested against the POSTROUTING chain in the nat table. I thought that once something was accepted, it was good to go? That''s certainly how it works with my older 2.4.2 kernel setup.