On Mon, 02 Jan 2012 06:43:37 -0600, Ed W <lists@xxxxxxxxxxxxxx> wrote:
I believe also routes are cached per IP, so I guess it might accidentally persist beyond even individual streams (assuming to/from same IPs)
Thanks, I didn't think of that. If no policy routing rules are matched, the cached route should be used. Of course, this doesn't explain why connections were dropped when the outgoing interface had a non-routable (LAN) IP number, but were never dropped from the one interface that has a public IP. I'm hoping someone will comment on the use of "-p tcp" in the SNAT invocation: (example rule) iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source 194.236.50.155 I have always seen this rule with "-p tcp", and yet I think it is best to mark ALL my outgoing connections, in case the one interface associated with the default route happens to be down. For example, DNS queries are usually UDP, I believe. -- Lloyd Standish -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
