On Mon, Apr 20, 2009 at 05:15:21PM +0200, Javier Gálvez Guerrero wrote: > $ sudo iptables -L -t mangle > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > CONNMARK tcp -- anywhere anywhere state NEW > tcp spt:rtsp CONNMARK set 0x1 If you are forwarding packets via this host you need the CONNMARK restore here as well, then you can also drop the CONNMARK restore from the INPUT chain, PREROUTING is also traversed for packets destined for the local host. > With this environment I get the same results. I send the first TCP > packet (SYN, dport 8554) through the interface ra1 (OK) with the IP > bound to this interface (SNAT OK) and I get the (SYN,ACK) to the same > IP and through the same interface (OK!), but my application does not > send the final acknowledgement to the TCP connection establishment > (ACK), so the RTSP messages are not sent and the client retries over > and over again the TCP session establishment. Your application does not send the ACK in the 3 way handshake, the client kernel does. Somehow it doesn't receive the SYN,ACK or the ACK does not reach the point where you're tcpdumping packets. Try to sniff as close to your client app as possible. Could be a NAT issue. Or maybe rp_filter or something else is breaking it for you, you could try to enable /proc/sys/net/ipv4/conf/*/log_martians to see any issues. > messing up old connections with other videos. I can't understand how > this can be so difficult to configure. I must be missing something in > my rules... Find another general purpose OS where you can do this AT ALL without additional products. Then we'll talk about what is difficult or not ;=) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html