OK. I got rdr to work. I needed to add a route to hidden host to route
outgoing packets throught the gateway. With out that, the packets never get
to the gateway to have their address translated. Doh!

Ian Dall <Ian.Dall@dsto.defence.gov.au> writes:

  > Mason Loring Bliss <mason@acheron.middleboro.ma.us> writes:
  >> Wait... Doh! You're not doing any mapping! Your redirect filter is going
  >> to pass stuff through, but without mapping your inside machine can't reply -
  >> at least, that's my understanding. Does that seem to apply here?

A look at the source seems to confirm that the map is not necessary.
It seems to work like this: when a packet comes in, check if there is
a table entry to do remapping. If so, use it, else generate one if there
is a rule which covers that case. The address translation happens
on packets going both ways, but the new table entries are only created
for incoming packets in the case of rdr or outgoing packets in the case
of map.

Of course, in most cases, you would want a map anyway, but not for an
X term.

Ian