Donald Schlicht a écrit : > I have an application where I need to configure a router to pass through > ping requests (ICMP type 8) through to the LAN port. I have a Linksys > WRT54GS with tiny DD-WRT V24 SP2 installed. I am adding the following > iptables rules: > > iptables -t nat -I PREROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -j DNAT > --to-destination 192.168.1.200 > iptables -t filter -I FORWARD -p icmp --icmp-type 8 -s 72.64.140.50 -d > 192.168.1.200 -j ACCEPT > iptables -t nat -I POSTROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -d > 192.168.1.200 -j ACCEPT > > The intent is that the first rule will change an incoming echo request > destination to the unit on the LAN which I want to receive the ping request. > > The second rule allows the modified echo request to pass through the > FORWARD table. And the last one allows the modified echo request to pass > through the POSTROUTING table. When I send a ping to the router with four > tries, I get no pings out the LAN. What do you mean exactly ? How do you know ? > Using iptables -L -v -n I can see were > rule #1 passes one packet (but not four), rule #2 passes four packets > (good!) and rule #3 passes 1 packet. This is expected behaviour. Chains in the nat table see only the first packet of any "connection". NAT operations applied to this packet are implicitly applied to subsequent packets of the same connection. A ping sequence is considered as a connection. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
