Bizzare behaviour of NAT with iptables

I have a network connected via linux router and DSL to an ISP.
The local network is connected to eth0 of the router, the DSL modem to the
eth1
I have a pool of public IP addresses. One is assigned to router eth1,
the rest is for several machines in the local network.
The router is supposed to do the NAT and translate public IPs to local (e.g.
192.168.23.1)

Now, everything worked fine when I used kernel 2.2 and ipchains with fast
nat.
Now I have upgraded to 2.4.21 and iptables. I have set up SNAT and DNAT
rules
as they are supposed to be, but the router behaves strangely. Here is the
scenario:

I boot up the router run iptables script which set up NAT for one of the
machines in the local
network (let's call it X - it has address in local network like
192.168.15.1).
The NAT works. I can login to (X) from outside computer using the public
IP,
when I log from this machine (X) to other computer, it shows the connection
is made from the right public ip that is assigned to (X).
Everything seems fine, but works only for about 5 minutes. Then the
connection
to the (X) is unavailable - can't ping it, log in to it, no traceroute - in
either (in/out) directions.
everything is blocked at the router.

Now is the funny part: If I set up an alias for eth1:1 with the public IP
assigned for (X)
the traffic half-works (which is expectable) - I can login from (X) to any
other computer
outside local network (and connection is registered as from (X) public IP),
but
I can't login to (X) from outside - which is also fine since the alias
'catches' all the
incoming traffic. Now if I delete the alias the NAT works fine both
dirrections .... for a couple
of minutes. Then all access to/from (X) is unavailable.
If I set up the alias again I can repeat this scenario again and again
Any ideas?

Marek

P.S. Please no advises like 'set up and delete alias periodically using
cron' :-)

P.S. To make sure there is no unexpected rules in iptables, I have temporary
set all
policies for all chains to ACCEPT. I'm only blocking access to router ports
1:1024
on external interface (eth1) of the router...

Marek Zachara wrote:
> when I log from this machine (X) to other computer, it shows the connection
> is made from the right public ip that is assigned to (X).
> Everything seems fine, but works only for about 5 minutes. Then the
> connection
> to the (X) is unavailable - can't ping it, log in to it, no traceroute - in
> either (in/out) directions.
> everything is blocked at the router.

The time out thing makes me suspect DHCP messing with routes and/or
resolv.conf or something.

I'd look to see what changes with /sbin/ifconfig and /sbin/route before
and after failure.

-Dondo