On 03/17/2010 03:25 PM, Richard Horton wrote:
On 17 March 2010 15:20, Angel Motta<angelmotta@xxxxxxxxx> wrote:
When I apply this rule i did iptable-save and I see that NAT and I
also see my rule with itpables -t nat -L, but the clients vpn still
are conected to the Firewall with that public IP.
Existing connections prior to the rule being inserted will not be
moved until they reestablish a new connection.
You can turn tracing on (iptables -t raw -A PREROUTING -j trace) and
see if the rule is being met or not.
By the sound of it something isn't matching so you might want to try
inserting a rule to log traffic - just use the same match criteria but
use the log target rather than DNAT - if you see no log entries then
the rule for some reason isn't quite right...
And, I just noticed that the protocol is UDP. The only way a UDP
entry gets removed from conntrack is by timing out, and that can take
up to 3 minutes (see the values in
/proc/sys/net/netfilter/nf_conntrack_udp_timeout*).
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
