On Sat, 25 May 2002, Christian Lambert wrote: > I enabled "local natting of connections" in the kernel so that I can > do transparent proxy from the local host itself running squid, and > I only use these two rules in the new table called "OUTPUT" for nat. > > # transparent proxy for localhost > iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT > iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 > > Now the problem that I have is that when the box itself tries to ftp > to the outside world, it just hangs as soon as it does the PORT command. > > Then in syslog I see a couple of these messages: > > ip_conntrack: max number of expected connections 1 of ftp reached for > <hideen ip>-><hidden ip>, reusing
Ha! That's interesting and smells like a bug. > I'm using kernel 2.4.19-pre7 with the newnat patch applied and h323, > but no other patches. Iptables userspace 1.2.6a. My POSTROUTING > of nat contains a typical SNAT setting to let my internal machines > access the internet. Did you apply the newnat patch from iptables-1.2.6a or from a recent cvs donwload? iptables-1.2.6a contains newnat8 while in cvs we have newnat13 with a couple of bugs fixed. Regards, Jozsef - E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] WWW-Home: http://www.kfki.hu/~kadlec Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
