Le mercredi 04 janvier 2006 à 02:17 +1100, Glenn Schmidt a écrit :
> I am using iptables on my NAT gateway but it refuses to apply NAT to any ICMP
> packets. NAT works correctly for other types of packets. The issue seems to be
> that ICMP packets don't pass through the 'nat' table at all. They enter and
> leave the box, without ever seeing the NAT rules.
<AFAIK>
There's two class of ICMP packets:
. ICMP requests/replies, such as ping
. ICMP errors
ICMP requests/replies works on a NEW/ESTABLISHED scheme, meaning the
request have NEW state and reply ESTABLISHED state.
ICMP errors, if valid (i.e. corresponding to an existing contrack
entry), have RELATED state.
Now for NAT table... NAT table only "sees" packets with state NEW. If
matched and accepted by filtering rules, an according conntrack entry is
created, and following packets are handled transparently by conntrack,
meaning both ESTABLISHED and RELATED packets.
</AFAIK>
Now, to partially answer your question, and maybe to refine your
observations:
. you won't see ICMP errors in NAT table, which means you won't
see ICMP packets generated by a tracerouting application
. you should see ICMP echo requests, but won't see ICMP echo
replies
I know it does not totally answer your question, but at least, I hope
this provides some useful information to you.
--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
