On Fri, 29 Aug 2003, Zoilo wrote: > I have 2 machines connected via a LAN: 192.168.192.254 and > 192.168.192.123. I will call the '254' and '123' from now on. --- snip --- > Then I did a single 'ping' from one to the other, and vice versa, while > logging at 123. --- snip --- > To my astonishment, in II) the returning ICMP packets do *not* travel > through the NAT PREROUTING chain! In I) however, the incoming packets > *do* travel through the NAT PREROUTING chain, as expected. The NAT PREROUTING chain is for packets from outside the machine that initiate a connection (whether thru traffic, or destined for the machine itself). ICMP echo exchanges are tracked by conntrack and count as a connection. So when on 254 you do "ping 123", 123 will log the packet in the NAT table, whereas on 123 you do "ping 254", but the answer is part of the established connection. The only NATting that will happen, happens on 254 when it gets the echo query packet. Hope this helps! James F. Carter Voice 310 825 2897 FAX 310 206 6673 UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555 Email: jimc@xxxxxxxxxxxxx http://www.math.ucla.edu/~jimc (q.v. for PGP key)
