darmianm at yahoo.com.ar
Sun Sep 19 19:10:18 CEST 2004
It's doesn't work because NAT rules applies only to new connections, and
the icmp reply packet is part of an "virtual" established connection.
This is my original question, how to make a rule that make a NAT to
a packet that belong to already established connection.
Alexey Toptygin <alexeyt at freeshell.org> wrote:
On Fri, 17 Sep 2004, [iso-8859-1] darmian martinez wrote:
> I tried your command, but it says:
> iptables: Target problem
What I meant to say was:
iptables -t nat -A POSTROUTING -s [FIREWALL_IP] -p icmp -j SNAT --to-source
which applies, but for some reason works only for outgoing requests.
Can someone on the list explain why this:
iptables -t nat -A POSTROUTING -s 192.168.1.9 -p icmp -j SNAT --to-source
# tcpdump -nnvl -i eth0 "icmp"
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:37:38.781912 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 84)
10.0.0.1 > 192.168.1.2: icmp 64: echo request seq 1
17:37:49.656966 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 84)
192.168.1.181 > 192.168.1.9: icmp 64: echo request seq 1
17:37:49.656988 IP (tos 0x0, ttl 64, id 6381, offset 0, flags [none],
length: 84) 192.168.1.9 > 192.168.1.181: icmp 64: echo reply seq 1
Do locally generated ICMP replies not go through postrouting for some
reason? I'm testing with iptables v1.2.9 and Debian kernel 2.6.7-1-k7.
100mb gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
More information about the netfilter