[44net] iptables

Hello, I seem to have something broken on my firewall for redirecting incoming ipip packets to my gateway box. It appears to work fine at times but fails periodically, typically after a reset/power failure. Usually it comes back after several reboots of firewall and router but this process is inconsistent. The latest reboot had me digging deeper to try to find the real problem and I have discovered that only the rule in FORWARD chain of the filter table is firing, not the DNAT in the nat table. I suspect the firewall is only working when some connection (outgoing ?) wakes up the masquerade rules but haven't actually found the rule that is active. The firewall is running on OpenWRT using iptables (old version 1.3.8) and the rules as I think they should work are ## for ampr.org tunnels iptables -t nat -I PREROUTING -p 4 -i eth0.1 -j DNAT \ --to-destination 192.168.99.66 iptables -t filter -I FORWARD -p 4 -i eth0.1 -j ACCEPT As I understand it, the first re-writes the destination for ipip packets to my gateway and the second allows them to be forwarded however the counter on first stays stuck at 0. A reference to what sounds like a similar problem: https://sourceforge.net/p/ipcop/mailman/message/17780204/ It would be really nice to get this sorted properly, any debugging hints appreciated. In particular, am I correct in expecting both rule counters to match ? thx ... ... Niall