On Tuesday 2011-08-23 13:35, Tyler J. Wagner wrote: >On 2011-08-23 12:08, Ellad Yatsko wrote: >> Main problem is DNAT does not work as I wait. It seems to me there is an >> implicit additional >> DNAT rule for SNAT, and because *my* DNAT rule does not work. May you show >> me how it >> could be "switched off"? :-) > >It's not an implicit rule. If either rule matches the FIRST time the >traffic is seen, it will become an established connection. NAT will be >applied to it in both directions. See the current list of tracked >connections with: > >cat /proc/net/ip_conntrack > >Don't run that on a system with a lot of traffic. You'll get one line for >each session. For 1000 sessions, that's manageable. For 500,000, it will >block the terminal for a long time. That's why one normally uses conntrack -L | less so that that does not happen. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
