In some email I received from der Mouse, sie wrote:
> Looks as though I'll have to special-case it in the kernel, since (if
> I've understood you correctly) ipnat can't match packets based on
> ip_src and tcp_sport, and can't rewrite tcp packets without insisting
> on keeping state about connections-in-progress.

rdr supports matching the source and destination address - but not in
the version used by 1.4/1.4.1 (3.2.10).  Anything post 3.2.10 will have
it in, and it is used as:

rdr <if> from <ip>/<mask> <ip>/<mask> port <port> -> <ip> port <port> tcp

You only have to worry about things `expiring' if you're using filtering
(keep state) as the nat entries will just get recreated.

Darren