Here is the listing from tables PREROUTING, FORWARD and POSTROUTING
after pinging the router four times:
\u@\h:\w\$ iptables -t nat -L PREROUTING -n -v
Chain PREROUTING (policy ACCEPT 2245 packets, 159K bytes)
pkts bytes target prot opt in out source destination
1 60 DNAT icmp -- * * 0.0.0.0/0
0.0.0.0/0 to:192.168.1.200
0 0 DNAT tcp -- * * 0.0.0.0/0
72.64.140.67 tcp dpt:23 to:192.168.1.1:23
0 0 DNAT icmp -- * * 0.0.0.0/0
72.64.140.67 to:192.168.1.1
0 0 TRIGGER 0 -- * * 0.0.0.0/0
72.64.140.67 TRIGGER type:dnat match:0 relate:0
\u@\h:\w\$ iptables -L FORWARD -n -v
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 240 logaccept icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 47 -- * vlan1 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * vlan1 192.168.1.0/24
0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 TRIGGER 0 -- vlan1 br0 0.0.0.0/0
0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
\u@\h:\w\$ iptables -t nat -L POSTROUTING -n -v
Chain POSTROUTING (policy ACCEPT 4 packets, 286 bytes)
pkts bytes target prot opt in out source destination
1 60 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 SNAT 0 -- * vlan1 0.0.0.0/0
0.0.0.0/0 to:72.64.140.67
0 0 RETURN 0 -- * br0 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 MASQUERADE 0 -- * br0 192.168.1.0/24
192.168.1.0/24
\u@\h:\w\$
Hope this helps
On Mon, Jul 20, 2015 at 12:17 PM, Neal P. Murphy
<neal.p.murphy@xxxxxxxxxxxx> wrote:
> On Mon, 20 Jul 2015 09:05:29 -0400
> Donald Schlicht <dschlic1@xxxxxxxxx> wrote:
>
>> I am using Wireshark to sniff IP packets on both the WAN side and the
>> LAN side. It is good to know that the packets are passing through the
>> tables correctly. Anyone have an idea why I'm not seeing anything on
>> the LAN side?
>>
>> >> I have an application where I need to configure a router to pass
>> >> through ping requests (ICMP type 8) through to the LAN port. I
>> >> have a Linksys WRT54GS with tiny DD-WRT V24 SP2 installed. I am
>> >> adding the following iptables rules:
>> >>
>> >> iptables -t nat -I PREROUTING -p icmp --icmp-type 8 -s
>> >> 72.64.140.50 -j DNAT --to-destination 192.168.1.200
>> >> iptables -t filter -I FORWARD -p icmp --icmp-type 8 -s
>> >> 72.64.140.50 -d 192.168.1.200 -j ACCEPT
>> >> iptables -t nat -I POSTROUTING -p icmp --icmp-type 8 -s
>> >> 72.64.140.50 -d 192.168.1.200 -j ACCEPT
>
> That third rule is not needed--and mayn't do anything anyway.
>
> I added the equivalent of your PREROUTING and FORWARD rules to my
> perimeter F/W; they work. (One difference: since my filter:FORWARD has
> a blanket "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT"
> rule, I added "-m state --state NEW" to my equivalent of your second
> (FORWARD) rule.
>
> Since *one* request gets through, we can say the NAT rule works. That
> leaves FORWARD. What else is in filter:FORWARD? Your FORWARD rule maybe
> in the wrong position; you may need to insert it later in the chain.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
