I've switched to Debian Lenny 5.01 (kernel 2.6.26-2, iptables 1.4.2) and Jan's suggestion has worked out-of-the-box: the old streams are stable when changing the default route in the main table =). Anyway, I would like to know if you have any clue about what could be happening in Ubuntu 8.10 (kernel 2.6.27-11, iptables 1.4.0), since it would be very helpful in case I need to develop some iptables-related stuff in the future. Thank you so much for your help, Javi El día 20 de abril de 2009 20:59, Thomas Jacob <jacob@xxxxxxxxxxxxx> escribió: > On Mon, Apr 20, 2009 at 05:15:21PM +0200, Javier Gálvez Guerrero wrote: >> $ sudo iptables -L -t mangle >> Chain PREROUTING (policy ACCEPT) >> target prot opt source destination >> CONNMARK tcp -- anywhere anywhere state NEW >> tcp spt:rtsp CONNMARK set 0x1 > > If you are forwarding packets via this host you need the CONNMARK restore > here as well, then you can also drop the CONNMARK restore from the INPUT chain, > PREROUTING is also traversed for packets destined for the local host. > >> With this environment I get the same results. I send the first TCP >> packet (SYN, dport 8554) through the interface ra1 (OK) with the IP >> bound to this interface (SNAT OK) and I get the (SYN,ACK) to the same >> IP and through the same interface (OK!), but my application does not >> send the final acknowledgement to the TCP connection establishment >> (ACK), so the RTSP messages are not sent and the client retries over >> and over again the TCP session establishment. > > Your application does not send the ACK in the 3 way handshake, the > client kernel does. Somehow it doesn't receive the SYN,ACK or > the ACK does not reach the point where you're tcpdumping packets. > Try to sniff as close to your client app as possible. Could be > a NAT issue. Or maybe rp_filter or something else is breaking > it for you, you could try to enable /proc/sys/net/ipv4/conf/*/log_martians > to see any issues. > >> messing up old connections with other videos. I can't understand how >> this can be so difficult to configure. I must be missing something in >> my rules... > > Find another general purpose OS where you can do this AT ALL without additional > products. Then we'll talk about what is difficult or not ;=) > > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
