On Fri, 7 Oct 2005, Marek Zachara wrote:
Well, the router startup procedure is like this:
1) boot up core system (eth0 built-in kernel and enabled as the router root is
on nfs via eth0)
2) set up iptables rules
3) bring up eth1
Try adding rules before eth0 is set up, rejecting all traffic except the
traffic you need for booting until the real rules is loaded later on.
so before step (3) any packets destined to internet shall be returned with
'destination unreachable'. But i don't know if this could create the contrack
entry.
Good question. Should be easy to try if you pause your system before 3. If
you see the entry in /proc/net/ip_conntrack before bringing up eth1 then
you are in trouble.
the IAX udp packets are being sent all the time, even before the
router boots up - so its very likely such packet may hit the router before
netfilter (and SNAT) is configured.
Ok, which may be troublesome..
But from what i understand, the UDP NAT shall refresh every 180 seconds(?)
No. As long as there is traffic the same NAT mapping stays forever.
Only if there has been complete silence in this connection for 180 seconds
or more is a new NAT mapping created.
so after 3 minutes the packets shall be nat-ed correctly. But maybe if
there is a constant flow of packets it can sustain the contrack entry?
Correct. As long as there is traffic nothing will change.
But how to explain then that the rule has been hit 8 times within 6
hours? As far as i understand once this rule is hit, it shall then start
to NAT packets correctly...?
Good question what these 8 hits are. Other matching traffic streams
perhaps?
P.S. Please let me know if you want me to set up some special test procedure
to troubleshoot this issue.
As of today I am fairly certain the issue is related to your configuration
and not a general problem.
Regards
Henrik
