Hi,
To summarise, it seems that netfilter in 2.4.20 does not SNAT outbound
ICMP echo-replies (the echo-request reached the LAN host via a DNAT),
but netfilter in 2.4.27 does seem to.
Does anyone know anything about this?
I'm running OpenWRT linux on a Linksys WRT54GS router...
root@wrt54gs:~# uname -a
Linux wrt54gs 2.4.20 #1 Sun Sep 12 04:13:25 EDT 2004 mips unknown
root@wrt54gs:~# iptables --version
iptables v1.2.9
root@wrt54gs:~# dmesg |grep -i netfilter
ip_tables: (C) 2000-2002 Netfilter core team
The primary WAN interface is vlan1 which has IP address x.x.x.54/24
I'm testing with these commands:
ifconfig vlan1:55 x.x.x.55
iptable -t nat -F
iptables -t nat -A PREROUTING -d x.x.x.55 -j DNAT --to-destination
192.168.64.200
iptables -t nat -A POSTROUTING -s 192.168.64.200 -j SNAT --to-source x.x.x.55
iptables -t nat -A POSTROUTING -s 192.168.64.0/24 -j SNAT --to-source x.x.x.54
.. which results in this nat ruleset:
root@wrt54gs:/etc/init.d# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 3672 packets, 565K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- any any anywhere
x.x.x.55 to:192.168.64.200
Chain POSTROUTING (policy ACCEPT 278 packets, 35012 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- any any 192.168.64.200
anywhere to:x.x.x.55
0 0 SNAT all -- any any 192.168.64.0/24
anywhere to:x.x.x.54
Chain OUTPUT (policy ACCEPT 31 packets, 3251 bytes)
pkts bytes target prot opt in out source destination
This results in 192.168.64.200 being 1:1 NAT as x.x.x.55, and all
other addresses in 192.168.64.0/24 are one-way SNATed as x.x.x.54
Everything works fine, except that when I ping x.x.x.55 from outside,
the echo-reply from 192.168.64.200 is not SNATed by netfilter -
instead it is forwarded with source address 192.168.64.200 and
subsequently filtered by a border router ACL.
I have inserted a match-only rule (no target, just to see the
counters) like this:
iptables -t nat -I POSTROUTING -s 192.168.64.200 -p icmp --icmp-type echo-reply
After pinging the x.x.x.55 from an external host, and using tcpdump to
watch the echo-replies leave the NAT box with source address
192.168.64.200, the counters for the rule I inserted remain at 0 - it
seems the echo-reply is never reaching the nat table, however it is
being forwarded without SNAT translation. FORWARD policy is ACCEPT
and there's no FORWARD rules getting in the way.
The same kind of setup running kernel 2.4.27 seems to work fine..
pings to the WAN IP are DNATed to the LAN host, and the LAN hosts
echo-replies are SNATed back to the WAN IP before being sent on to
echo-request source.
Was something changed between 2.4.20 and 2.4.27 which would cause this
difference?
Also, is it possible to somehow manually change the source IP to
x.x.x.55 for any packets matching something like -d 192.168.64.200 -p
icmp --icmp-type echo?
Thanks,
Paul
