On Sat, 1 Oct 2005, Marek Zachara wrote:
Anyway, i have just noticed that not only POSTROUTING but also PREROUTING in
the NAT table don't match packets as they should. So probably the issue is
related to NAT table.
The NAT table is a bit special. This table only sees the very first packet
of each new conntrack session. For all consequtive packets of the same
session the same NAT rules is automatically used.
What this means is
a) You can not change NAT for a session while it is running
b) When you add NAT rules they only start to apply on the next session.
Traffic flows already seen won't be NAT:ed.
You did not tell what kind of traffic flows you are having, but the rule
fragments you show is based on UDP. UDP sessions are tracked by the
source IP, port, destination IP, port (and the reverse)
once a such pakcet has been seen the UDP session persists in conntrack/NAT
until no matching packets have been seen for the udp conntrack timeout
(usually 180 seconds).
Regards
Henrik
