> You must have set the conntrack value too much for your RAM size. > Each conntrack structure use ~300 bytes in physical memory, so the > value of 1024*1024 would be suitable. And the hashsize should be > lowered too. Look at > http://www.wallfire.org/misc/netfilter_conntrack_perf.txt for details. > The problem may also be in your iptables rules or in settings for > /proc/sys/net/netfilter/nf_conntrack_XXX timeouts. > Anatoly, I had looked at the link. I will either crank the value lower, or increase the ram. I had increased the values to rule that out as a problem. I will take a look at the conntrack timeouts. It definitely appears to be some type of timeout problem. When the problem does happen, it seems to continue for a while, then when I come back it works just fine. The problem looks like it's some type of timeout what the NAT though. A connection is made, NAT is setup, later trips doesn't get forwarded past the firewall. As for the rules for the filter chain, they are all direct rules (not connection tracking on them). I will definitely look a little deeping, I just didn't know where to begin. Gary Smith -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
