Alex, It's doesn't work because NAT rules applies only to new connections, and the icmp reply packet is part of an "virtual" established connection. This is my original question, how to make a rule that make a NAT to a packet that belong to already established connection. thanks you. Alexey Toptygin <alexeyt@xxxxxxxxxxxxx> wrote: On Fri, 17 Sep 2004, [iso-8859-1] darmian martinez wrote: > Alexey, > > I tried your command, but it says: > iptables: Target problem What I meant to say was: iptables -t nat -A POSTROUTING -s [FIREWALL_IP] -p icmp -j SNAT --to-source [FAKE_IP] which applies, but for some reason works only for outgoing requests. Can someone on the list explain why this: iptables -t nat -A POSTROUTING -s 192.168.1.9 -p icmp -j SNAT --to-source 10.0.0.1 Causes this: # tcpdump -nnvl -i eth0 "icmp" tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:37:38.781912 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 84) 10.0.0.1 > 192.168.1.2: icmp 64: echo request seq 1 17:37:49.656966 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 84) 192.168.1.181 > 192.168.1.9: icmp 64: echo request seq 1 17:37:49.656988 IP (tos 0x0, ttl 64, id 6381, offset 0, flags [none], length: 84) 192.168.1.9 > 192.168.1.181: icmp 64: echo reply seq 1 Do locally generated ICMP replies not go through postrouting for some reason? I'm testing with iptables v1.2.9 and Debian kernel 2.6.7-1-k7. Alexey 100mb gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo ¡Tenelo ya!
