--=_courier-4888-1047309645-0001-2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Mar 10, 2003 at 11:39:21AM +0200, Dan Broscoi wrote:
> i'm writing you after reading your post on=20
http://hypermail.idiosynkrasia.net/linux-kernel/archived/2002/week28/142
9.html
> I have the same problem, compiling a 2.4.20 kernel on Debian 3.0
> Do you know the fix for this ?
no one could really offer any help in the end. i think having the
multiple snat rules matching on all interfaces may have been
triggering a race in the conntrack code. i should probably resubmit
my findings.
anyway, limitting the rules by matching them only to their appropriate
interfaces seemed to alleviate the problem.
so now i use something similar to this:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 \
-j SNAT --to 10.1.1.15
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 \
-j SNAT --to 192.168.1.1
iptables -t nat -A POSTROUTING -o eth2 -s 192.168.2.0/24 \
-j SNAT --to 192.168.2.1
---note the -o interface rules. this keeps it from applying more than one snat rule to a packet. it only applies them to the packet going out the proper interface.
ps. i'm actually going to bounce this to the kernel list again to see if i can stir up any more noise on this one. --=20 ____________________}John Flinchbaugh{______________________ | glynis@hjsoft.com http://www.hjsoft.com/~glynis/ | ~~Powered by Linux: Reboots are for hardware upgrades only~~
--=_courier-4888-1047309645-0001-2 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+bKkqCGPRljI8080RAgC9AJoCvL26DiDMP/GuSYKV5HFDFskZHQCggXNW K0mMddPoWAcGFsXr+X0Hyzw= =zdV6 -----END PGP SIGNATURE-----
--=_courier-4888-1047309645-0001-2--