From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ciaran Deignan Subject: Re: snat and ICMP question Date: Wed, 09 Oct 2002 12:11:05 +0200 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <3DA400B9.390A17F7@netcelo.com> References: <3DA30D48.3EA0E56E@netcelo.com> <200210081500.06505.marian@ti.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: netfilter-devel@lists.netfilter.org, Matthieu Marc Return-path: To: Marian Stagarescu Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org Marian Stagarescu a écrit : > > > I'm using the following configuration > > > > iptables -t mangle -A PREROUTING --in-interface ipsec+ \ > > -j MARK --set-mark 1 > > iptables -t nat -A POSTROUTING -m mark --mark 1 \ > > -j MASQUERADE > > i think that the icmp packet is not marked hence not masqueraded > (it is locally generated by the ip stack (above ipsec anyways) hence > does not follow rule 1 mangle above). > > is this your config ? > > > SNAT > -------------------> > ipsec-interface public_interface-------WEB-SERVER > mtu 1400 mtu 1500 > | 1500 > | <------------- > | > ICMP frag required | > (OUTPUT) ------------+ The ASCII art is a bit messes up, but yes, this is my config. Actually, the web server is on the private interface. The ICMP error message contains the real address of the remote user. Do you think I should mark ICMP messages on the OUTPUT chain? I must try that... Ciaran -- +---------------------------------------------------------+ Ciaran Deignan 04 38 49 87 27 Netcelo SA - IPsec VPN Solutions http://www.netcelo.com/ 18-20 rue Henri Barbusse - BP 2501, 38035 Grenoble Cedex 2 +---------------------------------------------------------+