I have a pretty simple NAT rule going on here:
iptables -t nat -A POSTROUTING -d ! 10.0.0.0/8 -s 207.166.219.93 -p !
esp -m owner --uid-owner dante -j SNAT --to 207.166.203.150
Not rocket science - danted is running on 10.1.1.2, I'm connecting from
10.6.1.40 over IPSec - Hence why I 1) tell it to ignore ESP (which says
it comes from 219.93, plus it's still using 'dante' as the uid) 2) I'm
telling it to ignore everything going to 10.0.0.0/8.
With this rule in place, I see this in my conntrack table:
tcp 6 267 ESTABLISHED src=10.1.1.2 dst=10.6.1.40 sport=1080
dport=2097 [UNREPLIED] src=10.6.1.40 dst=207.166.203.150 sport=2097
dport=1080 mark=0 use=1
Clearly wrong - There are no other rules related to my 150 address in my
tables. Indeed, if I take out the SNAT rule, it will work fine. Now, if
I change the SNAT to a 'LOG' entry, it only logs the rule hits that are
correct, and not these ones that are wrong. I'm running a 2.6.15.1
kernel, which I realized is older than the hills, but other than this it
has been working happily.
Any ideas? I may try upgrading to 2.6.22.1 shortly, but I don't even
know if that will fix it.