Hinko Kocevar wrote: > Pascal Hambourg wrote: >> Hello, >> >> Hinko Kocevar a écrit : >>> Christoph Paasch wrote: >>>> On Fri January 30 2009, Hinko Kocevar wrote: >>>>> Is it possible to 'port forward' ICMP requests? >>>> You can match the protocol on ICMP packets with -p icmp and let the >>>> port- >>>> specific stuff out of it, as ICMP doesn't uses portnumbers. But the >>>> problem will be, that your external machine won't be reachable for >>>> icmp packets. (as every icmp packets will get forwarded) It may be >>>> ennoying if MTU or ping packets doesn't reach anymore your machine. >>>> That depends on the usage of your gateway. >>> Yes, that is what I was afraid of. I think that gateway should still >>> remain >>> available for ICMP echo-reply from external network. >> You must not be afraid of redirecting incoming ICMP replies or error >> messages originally destined to the gateway to the mobile device. These >> messages have the state ESTABLISHED or RELATED, while NAT rules see only >> packets creating a new "connection", which have the state NEW. Even >> though, you could have your DNAT rule match only the echo-request type >> with the --icmp-type option. However, if you redirect ICMP echo request >> to the device, indeed you cannot ping the gateway any more on the same >> external address. You need a separate address. > > Not quite sure what it is all about, but is it doing something like: > # ifconfig eth0:1 172.31.64.121 netmask 255.255.254.0 up > > And later.. > # iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT > # iptables -t nat -A PREROUTING -i eth0 -p icmp -j DNAT --to-destination 10.1.1.2 > My bad, should be: iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT iptables -t nat -A PREROUTING -d 172.31.64.121 -p icmp -j DNAT --to-destination 10.1.1.2 And then pinging both IPs from a local area network host produces desired result: Gateway: ........ 64 bytes from 172.31.64.121: icmp_seq=233 ttl=64 time=1.14 ms 64 bytes from 172.31.64.121: icmp_seq=234 ttl=64 time=1.03 ms 64 bytes from 172.31.64.121: icmp_seq=235 ttl=64 time=1.03 ms 64 bytes from 172.31.64.121: icmp_seq=236 ttl=64 time=1.37 ms 64 bytes from 172.31.64.121: icmp_seq=237 ttl=64 time=1.05 ms 64 bytes from 172.31.64.121: icmp_seq=238 ttl=64 time=1.50 ms 64 bytes from 172.31.64.121: icmp_seq=239 ttl=64 time=1.05 ms 64 bytes from 172.31.64.121: icmp_seq=240 ttl=64 time=1.04 ms Mobile device: .............. 64 bytes from 172.31.64.126: icmp_seq=236 ttl=127 time=72.0 ms 64 bytes from 172.31.64.126: icmp_seq=237 ttl=127 time=31.0 ms 64 bytes from 172.31.64.126: icmp_seq=238 ttl=127 time=51.7 ms 64 bytes from 172.31.64.126: icmp_seq=239 ttl=127 time=63.8 ms 64 bytes from 172.31.64.126: icmp_seq=240 ttl=127 time=75.2 ms Thanks to everyone who helped! Best regards, Hinko -- Hinko Kočevar, OSS developer ČETRTA POT, d.o.o. Planina 3, 4000 Kranj, SI EU tel ++386 (0) 4 280 66 03 e-mail hinko.kocevar@xxxxxxxxxxxx http www.cetrtapot.si -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
