SNAT question

darmian martinez darmianm at yahoo.com.ar
Sun Sep 19 19:10:18 CEST 2004


Alex,
 
It's doesn't work because NAT rules applies only to new connections, and
the icmp reply packet is part of an "virtual" established connection.
This is my original question, how to make a rule that make a NAT to 
a packet that belong to already established connection.
 
thanks you.

Alexey Toptygin <alexeyt at freeshell.org> wrote:
On Fri, 17 Sep 2004, [iso-8859-1] darmian martinez wrote:

> Alexey,
>
> I tried your command, but it says:
> iptables: Target problem

What I meant to say was:

iptables -t nat -A POSTROUTING -s [FIREWALL_IP] -p icmp -j SNAT --to-source
[FAKE_IP]

which applies, but for some reason works only for outgoing requests.


Can someone on the list explain why this:

iptables -t nat -A POSTROUTING -s 192.168.1.9 -p icmp -j SNAT --to-source
10.0.0.1

Causes this:

# tcpdump -nnvl -i eth0 "icmp"
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

17:37:38.781912 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 84)
10.0.0.1 > 192.168.1.2: icmp 64: echo request seq 1

17:37:49.656966 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 84)
192.168.1.181 > 192.168.1.9: icmp 64: echo request seq 1

17:37:49.656988 IP (tos 0x0, ttl 64, id 6381, offset 0, flags [none],
length: 84) 192.168.1.9 > 192.168.1.181: icmp 64: echo reply seq 1

Do locally generated ICMP replies not go through postrouting for some 
reason? I'm testing with iptables v1.2.9 and Debian kernel 2.6.7-1-k7.

Alexey

		100mb gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
¡Tenelo ya!


More information about the netfilter mailing list