Dear List Members, I'm using iptables (v1.3.4 on a 2.6.15.3 kernel) in order to NAT incoming UDP packets arriving on a single IP:port (1-1 rules in PRE- and POSTROUTING chains in the nat table). I found out that packets are sometimes lost, therefore I developed a test program for that. The test program receives an UDP packet from the NAT box (from the UDP socket where the iptables are setup) waits until conntrack entries time out and then sends back 100 UDP packets from 100 different sockets. Iptables should forward the received packets to a given destination. The experience is that only the first packet is forwarded, others are lost (neither received locally nor forwarded), altough they are sent from 100 different ports (but from the same IP). If I list the iptables rules with "- v" I find that all 100 packets matched the iptables rules (pkts column shows 100 in PRE- and POSTROUTING chains). I suspect, it cannot be a conntrack problem, because I send packets from 100 different ports. Or are the packets looked up in conntrack table by IP address only? Other experience is that all 100 packets are lost if I don't wait for conntrack to time out before sending back the first packet. I don't understand it, because I never send data from the same source address where a locally generated packet was sent previously from the NAT box. So there can't be such conntrack that describes that connection. And the counter in iptables is always incremented, it shows 100. How could I find out, why are the packets lost? Is there a log entry somewhere that says if an UDP packet was dropped because of... ? Thank you for your answer! Best regards, Kornel Keseru ___________________________________________________________________________ Öntsd képeslapba az érzéseidet! Képeslapok Valentin-napra! http://www.t-online.hu
