DSNAT & NAT for icmp

[danielcq55]

Hi , i am a newbie in ip & linux ,

I get two pcs with Fedora in a LAN configuration.
One machine atcs as a router, in eth0 (192.168.1.65) is the acces of the internet, and eth1 (10.1.1.1) is the acces of the lan.

I configue the router with SNAT & DNAT with iptables commands

# iptables -t nat -A POSTROUTING -o eht0 -j MASQUERADE
# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 10.1.1.1-10.1.1.211

and enable ip_forwarding in /etc/sysctl.conf

when i ping on the second machine 10.1.1.201 to a dsl modem ( 192.168.1.254)
the request past on the linux router, arrives to the dsl, dsl responds , arrives to the linux router but it does not arrives to the second machine, this the tcpdump result


[root@localhost daniel]# /usr/sbin/tcpdump -i eth1 icmp
tcpdump: listening on eth1
06:09:49.217486 10.1.1.201 > home: icmp: echo request (DF)
06:09:50.217600 10.1.1.201 > home: icmp: echo request (DF)
06:09:51.217702 10.1.1.201 > home: icmp: echo request (DF)
06:09:52.217855 10.1.1.201 > home: icmp: echo request (DF)

[root@localhost daniel]# /usr/sbin/tcpdump -i eth0 icmp
tcpdump: listening on eth0
06:10:24.221613 192.168.1.65 > home: icmp: echo request (DF)
06:10:24.222138 home > 192.168.1.65: icmp: echo reply (DF)
06:10:25.221746 192.168.1.65 > home: icmp: echo request (DF)
06:10:25.222755 home > 192.168.1.65: icmp: echo reply (DF)
06:10:26.221912 192.168.1.65 > home: icmp: echo request (DF)

Why ping request does not arrives to the second machine, and why the (internet modem) is called "home"


here is my routing table:

netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0

[root@localhost daniel]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
10.1.1.0 * 255.255.255.0 U 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default home 0.0.0.0 UG 0 0 0 eth0

please any help, thanks !!!

[Lazydog]

# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 10.1.1.1-10.1.1.211

Drop this rule. You don't need it. IPTABLES will keep track of what IP sent what request.

The only time you need DNAT is when you have request coming in on your external ip that you need to redirect to another system.

[danielcq55]

I dropped , the same thing still happens , ie. icmp request does not arrive to the second machine. The second machine has Fedora6, the router Fedora4.

Any suggestions please !!

[Lazydog]

Not sure could be the way you setup your firewall. check that ypu are allowing the packets back.
Remember icmp is on different ports request and replies.

If you feel safe you could post your firewall rules for a look.

[danielcq55]

Here are my iptable rules
[root@localhost daniel]# /sbin/service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

[Lazydog]

Post the ones listed in /etc/sysconfig/iptables.

This is easier to undersand for me anyway.