Yeah you are correct Jeff. Don't know what I was thinking. Maybe that's the problem: I wasn't. -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jeffrey Laramie Sent: Tuesday, November 25, 2003 1:25 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: NAT & MySQL Mark E. Donaldson wrote: > The ACK packets you see in your dump are probably being dropped at the > firewall because a state table entry does not exist. So you need to > add a NEW rule to do this: > > iptables -A FORWARD -i ppp0 -o eth0 -m state --state NEW -j ACCEPT > > this rule will then allow your ESTABLISHED,RELATED rule to work and > permit those ACK packets to pass. > > Hi Mark, I'm not sure I understand what this rule does for him. Only the first packet from the web client would be NEW and based on his FORWARD rules that's been accepted and the dump shows it went through (although I'd still like to see his SNAT rule). Your rule would open his mysql server to any NEW packet. Are you saying that the RELATED ACK packets won't go through unless the first packet is matched with a NEW state and makes an entry in the state table? Jeff