David Lamparter <david.lamparter@t-online.de> wrote: > Do you have NAT / mangling / etc. running somewhere? The connection > tracking timeout is 500 s afaik, maybe GRE is NATed on one of your > gateways? > A possible explanation would be that east does SNAT on GRE packets > or > west does DNAT on GRE ... so when east tries to reach west, the > packet > is SNAT'ed or DNAT'ed and therefore doesn't reach west, but when > west > tries to reach east, connection tracking information is set up on > both > routers so it works ... until the timeout expires. That's is it. It actually happens when going from west to east, I just never noticed it before. Thanks for the clue. Steve ps. I know this isn't the appropiate list, but could someone see what iptable rule needs to be changed to make this not happen(rules generated from script found at: http://www.asgardsrealm.net/linux/firewall ). [root@east root]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT ipv6-auth-- anywhere anywhere ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- east.somenet.com east.somenet.com ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT udp -- anywhere anywhere udp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:re-mail-ck ACCEPT udp -- anywhere anywhere udp dpt:re-mail-ck ACCEPT tcp -- anywhere anywhere tcp dpt:51 ACCEPT udp -- anywhere anywhere udp dpt:51 ACCEPT tcp -- anywhere anywhere tcp dpt:47 ACCEPT udp -- anywhere anywhere udp dpt:47 ACCEPT udp -- anywhere anywhere udp dpt:isakmp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `FIREWALL: Filter-INPUT ' Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 192.168.1.0/24 192.168.0.0/24 ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 192.168.2.0/24 anywhere ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- 192.168.0.0/24 anywhere LOG all -- anywhere anywhere LOG level info prefix `FIREWALL: Filter-FORWARD ' Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 192.168.0.0/24 anywhere ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- 192.168.2.0/24 anywhere ACCEPT all -- east.somenet.com east.somenet.com ACCEPT all -- anywhere anywhere ACCEPT all -- somenet.com somenet.com LOG all -- anywhere anywhere LOG level info prefix `FIREWALL: Filter-OUTPUT ' _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
