Ya know, I just read that in some FAQ on the netfilter site. I did a search last night but I guess I either misspelled the search terms or the cafine caused me to miss the point. :) I'm trying to recompile it now. I have a few problems as my origial changes were made the the RPM source files for the RPM build. The primary kernel tree doesn't contain these changes which is probably why the compile of iptables didn't pickup the change. Thanks, Gary ________________________________ From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Jason Opperisano Sent: Fri 11/12/2004 9:07 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Problem with nat/OUTPUT/DNAT rule On Thu, Nov 11, 2004 at 11:34:09PM -0800, Gary W. Smith wrote: > I have been trying to upgrade a RH9 firewall box running 1.2.7a to RHEL3. I applied patch-o-matic pptp-conntrack to the RHEL3 kernel and everything "seemed" fine. I have an automated script that generates some baseline firewall rules for some clients. Anyways, It fails only on RHEL3 1.2.7a. It works on my FC2 and RH9 boxes. > > The failure always happens on the nat filter, output chain: > > [0:0] -A OUTPUT -d 66.120.18.34 -j DNAT --to-destination 192.198.0.34 > > Any ideas? you say you applied a patch from POM and recompiled your kernel. did you also rebuild iptables? IIRC the pptp-conntrack patch changes the size of the internal structures, so an unpatched iptables will fail to add rules in this way (usually on a NAT rule). -j -- Jason Opperisano <opie@xxxxxxxxxxx>
