Steven M Campbell wrote:
We know from the message that we fell off of the end of the FORWARD
chain (because the --log-prefix "FORWARD blocked: " is the only one to
match the message....
One other thought to this, if I were to presume the ${variables} and ...ip's then I would presume that the RELATED rules should allow these ack's to go through. The only reason I know of for them not do (again, assuming all the addressing is really ok) would be that the conntrack table has filled up.
To see the maximum connnections that can be tracked:
# cat /proc/sys/net/ipv4/ip_conntrack_max
32760
To see how many you are using at a given moment
# wc -l /proc/net/ip_conntrack
16 /proc/net/ip_conntrack
This from my house and there really isn't all that much going on, I would expect far larger counts, you may need to up ip_conntrack_max. This really out in the SWAG arena because I can't see the details of your installation.
