On 02/25/2006 03:49 AM, Jeff Machesky wrote: > When rule #1 is first put in place the packets do not start to route > right away, they often take up to a minute or so to take hold. Once in > a while I'll get lucky and the rule appears to take effect right away. > This is verified by ethereal dumps. > > The other problem, after removing rule #1 or for that matter flushing > the entire nat chain (iptables -t nat -F) the rules will keep working > for several minutes. This is probably due to the conntrack entry still existing. The new NAT rules are not applied until the conntrack expires. Check this with 'cat /proc/net/ip_conntrack'. The relatively new conntrack tool can delete them (and provides a faster way of listing them too). http://netfilter.org/projects/conntrack/downloads.html
