Hi, >> The last two are just regular requests for access to facebook from >> another PC on the internal network. > > This packets can be out-of-order or duplicate packets with FIN flag. > They are not connected to any conntrack entry, so there is no way > to do NAT transformation for them. I'm not sure if I'm misunderstanding what you are saying, or you're not clear. I'm trying to dnat bittorrent traffic, but there are many rejects in the kernel logs that I believe are a result of my dnat rules not being correct, and I thought the rule below would help me isolate those packets: # iptables -I FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "dnat invalid " there is a periodic match (maybe a few every other minute). However, they are apparently matching packets that are not related to my bittorrent traffic and shouldn't be dnat'd. How can I determine why these facebook packets are invalid and why my bittorrent traffic is not properly being dnat'd? Thanks, Alex -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
