Re: Mystics of packet forwarding

["Ivan Petrushev" <ivanatora@xxxxxxxxx>]

SNAT should be sufficient.Your friend admin said they didn't do anything. Maybe it is theprovider they are getting bandwidth from?One think I can come with is TTL limiting (largely known here where Ilive). Try pinging these "troubling" sites from your home gateway andsee if TTL is 1 or 2 or some bigger value.And one other thing - you said these sites disappear, but I didin'tunderstood where from are you testing? From the home gateway or fromthe NATed boxes behind it?
Could you add SNAT rule for non-existant box (IP that is not presenton your network, like 192.168.0.200) and see if these sites work.
And one other thing - /16 ? Do you really have such big network? :)
Greetings,Ivan.
On Wed, Jan 7, 2009 at 8:15 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:> Artūras Šlajus wrote:>>>> Hello fellow netfilter users,>>>> I have a strange problem and I think I should blame my ISP for that...>>>> Recently I lost connectivity to some sites (i.e. digg.com, yahoo). The>> best part is that I can regain connectivity by clearing out all the rules>> from iptables.>>>> So if I have empty chains - I can connect to digg. After I add one rule:>>>> iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE (or SNAT,>> doesn't make a difference)>> I very much doubt it's your ISP. Maybe the>> one-sided NAT does not usually work very well. Try adding both the> symmetrical sides at once:>> SNAT on the outbound request packets>  iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT ...>> MASQUERADE on the inbound reply packets>  iptables -t nat -A PREROUTING -d 192.168.0.0/16 -j MASQUERADE>>> AYJ> --> To unsubscribe from this list: send the line "unsubscribe netfilter" in> the body of a message to majordomo@xxxxxxxxxxxxxxx> More majordomo info at  http://vger.kernel.org/majordomo-info.html>’ōčŗ{.nĒ+?·?®?­?+%?Ė’±éŻ¶„?w’ŗ{.nĒ+?·§z×ā?׫ž)ķ?ęčw*jg¬±Ø¶????Ż¢j’¾«žG«?é’¢ø¢·¦j:+v?Ø?wčjŲm¶?’žųÆł®w„ž?ąžf£¢·h??ā?ś’?Ł„