On Wednesday, March 16, 2005 1:49 PM, James MacLean wrote:
[...] May I suggest someone else even try it at home :), or on a half busy box? We _are_ honestly seeing this at different sites with different rules, but with the common SNAT for private IP space. [...]
Sorry I cannot provide anything to solve your problem, but maybe you want to check the following:
I also had (and already have, I just ignore it at the moment) a quite similar problem: Some packets that should have been modified by NAT were not processed, but in the direction "Internet --> NATted Clients" (exactly the opposite direction that makes problems on your setup) so that missed packets hit the INPUT rules of my router.
If you want to have more detailed information please see http://lists.netfilter.org/pipermail/netfilter/2005-January/057795.html
Now to the property you might want to check: All packets being not correctly processed by NAT had the state INVALID. I am not sure when/why the connection became INVALID, but since there has been traffic in both directions before, it it unlikely that it was INVALID in the first place.
Perhaps your not processed packets are also considered INVALID?
This is of course far away from a solution (since it is still unclear, why they become INVALID), but if we can find further criteria that applies to all these similar problems, maybe we are able to track it down.
Marius
