Find the answer to your Linux question:
Results 1 to 6 of 6
Hi , i am a newbie in ip & linux , I get two pcs with Fedora in a LAN configuration. One machine atcs as a router, in eth0 (192.168.1.65) ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2008
    Posts
    3

    DSNAT & NAT for icmp


    Hi , i am a newbie in ip & linux ,

    I get two pcs with Fedora in a LAN configuration.
    One machine atcs as a router, in eth0 (192.168.1.65) is the acces of the internet, and eth1 (10.1.1.1) is the acces of the lan.

    I configue the router with SNAT & DNAT with iptables commands

    # iptables -t nat -A POSTROUTING -o eht0 -j MASQUERADE
    # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 10.1.1.1-10.1.1.211

    and enable ip_forwarding in /etc/sysctl.conf

    when i ping on the second machine 10.1.1.201 to a dsl modem ( 192.168.1.254)
    the request past on the linux router, arrives to the dsl, dsl responds , arrives to the linux router but it does not arrives to the second machine, this the tcpdump result


    [root@localhost daniel]# /usr/sbin/tcpdump -i eth1 icmp
    tcpdump: listening on eth1
    06:09:49.217486 10.1.1.201 > home: icmp: echo request (DF)
    06:09:50.217600 10.1.1.201 > home: icmp: echo request (DF)
    06:09:51.217702 10.1.1.201 > home: icmp: echo request (DF)
    06:09:52.217855 10.1.1.201 > home: icmp: echo request (DF)

    [root@localhost daniel]# /usr/sbin/tcpdump -i eth0 icmp
    tcpdump: listening on eth0
    06:10:24.221613 192.168.1.65 > home: icmp: echo request (DF)
    06:10:24.222138 home > 192.168.1.65: icmp: echo reply (DF)
    06:10:25.221746 192.168.1.65 > home: icmp: echo request (DF)
    06:10:25.222755 home > 192.168.1.65: icmp: echo reply (DF)
    06:10:26.221912 192.168.1.65 > home: icmp: echo request (DF)

    Why ping request does not arrives to the second machine, and why the (internet modem) is called "home"


    here is my routing table:

    netstat -nr
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
    169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0

    [root@localhost daniel]# netstat -r
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
    10.1.1.0 * 255.255.255.0 U 0 0 0 eth1
    169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
    127.0.0.0 * 255.0.0.0 U 0 0 0 lo
    default home 0.0.0.0 UG 0 0 0 eth0

    please any help, thanks !!!

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Quote Originally Posted by danielcq55 View Post
    # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 10.1.1.1-10.1.1.211
    Drop this rule. You don't need it. IPTABLES will keep track of what IP sent what request.

    The only time you need DNAT is when you have request coming in on your external ip that you need to redirect to another system.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Mar 2008
    Posts
    3
    I dropped , the same thing still happens , ie. icmp request does not arrive to the second machine. The second machine has Fedora6, the router Fedora4.

    Any suggestions please !!

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Not sure could be the way you setup your firewall. check that ypu are allowing the packets back.
    Remember icmp is on different ports request and replies.

    If you feel safe you could post your firewall rules for a look.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Mar 2008
    Posts
    3
    Here are my iptable rules
    [root@localhost daniel]# /sbin/service iptables status
    Table: nat
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    MASQUERADE all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Table: filter
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain RH-Firewall-1-INPUT (2 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT icmp -- anywhere anywhere icmp any
    ACCEPT ipv6-crypt-- anywhere anywhere
    ACCEPT ipv6-auth-- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Post the ones listed in /etc/sysconfig/iptables.

    This is easier to undersand for me anyway.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •