ICMP NAT

ICMP NAT

[pablo.1.munoz]

 
Hi all, Can someone tell me how can I implement a SNAT POSTROUTING and a
DNAT PREROUTING of an ICMP packet?

Regards, Pablo.

Re: ICMP NAT

[Glaucius Djalma Pereira Junior]

iptables -t nat -A PREROUTING -d PUBLIC_IP -p icmp -j DNAT --to PRIVATE_IP
iptables -t nat -A POSTROUTING -s PRIVATE_IP -p icmp -j SNAT --to PUBLIC_IP

and if you want packets from source local :

iptables -t nat -A OUTPUT -d PUBLIC_IP -p icmp -j DNAT --to PRIVATE_IP

best regards

On 6/13/05, pablo.1.munoz@bt.com <pablo.1.munoz@bt.com> wrote:
> 
> Hi all, Can someone tell me how can I implement a SNAT POSTROUTING and a
> DNAT PREROUTING of an ICMP packet?
> 
> Regards, Pablo.
> 
> 


-- 
Glaucius Djalma Pereira Junior
glaucius@gmail.com

ICMP nat

[Victor A. Bykov]

“АВТОРАДИО”
КОМУ:  netfilter@lists.netfilter.org
ОТ: Системный администратор Быков Виктор Андреевич
ТЕМА: ICMP nat

=================
 Cedric Blancher blancher at cartel-securite.fr wrote on Tue Jan 3 17:11:01 CET 2006
<AFAIK>
There's two class of ICMP packets:
 . ICMP requests/replies, such as ping
 . ICMP errors

ICMP requests/replies works on a NEW/ESTABLISHED scheme, meaning the
request have NEW state and reply ESTABLISHED state.

ICMP errors, if valid (i.e. corresponding to an existing contrack
entry), have RELATED state.

Now for NAT table... NAT table only "sees" packets with state NEW. If
matched and accepted by filtering rules, an according conntrack entry is
created, and following packets are handled transparently by conntrack,
meaning both ESTABLISHED and RELATED packets.
</AFAIK>

Now, to partially answer your question, and maybe to refine your
observations:
        . you won't see ICMP errors in NAT table, which means you won't
          see ICMP packets generated by a tracerouting application
        . you should see ICMP echo requests, but won't see ICMP echo
         replies
================================
My question is: if I, for example, generate icmp packet with icmp-type 11
by packet generator, this packet is not in ESTABLISHED state, and not in conntrack list, and probably should go via NAT table? in 
practical test, however, that kind of packet not go via NAT!



Дата/Время: 02.02.2006 14:57:00
Телефон: + 7 (495) 258-33-44
E-mail: vr@aradio.ru
Веб сайт: http://www.avtoradio.ru

Re: ICMP nat

[Cedric Blancher]

Le jeudi 02 février 2006 à 14:57 +0300, Victor A. Bykov a écrit :
> My question is: if I, for example, generate icmp packet with icmp-type
> 11 by packet generator, this packet is not in ESTABLISHED state, and
> not in conntrack list, and probably should go via NAT table? in
> practical test, however, that kind of packet not go via NAT!

If you craft an ICMP error, then it will be given INVALID state as no
previous entry exists in conntrack table to which it can be associated.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: ICMP nat

[Victor A. Bykov]

"?????????"
????:  Cedric Blancher
??: ????????? ????????????? ????? ?????? ?????????
????: Re: ICMP nat
CC:  netfilter@lists.netfilter.org


>> My question is: if I, for example, generate icmp packet with icmp-type
>> 11 by packet generator, this packet is not in ESTABLISHED state, and
>> not in conntrack list, and probably should go via NAT table? in
>> practical test, however, that kind of packet not go via NAT!

>If you craft an ICMP error, then it will be given INVALID state as no
>previous entry exists in conntrack table to which it can be associated.

which means that such ICMP packet will go via NAT POSTROUTING chain, correct?


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!



????/?????: 02.02.2006 17:54:21
???????: + 7 (495) 258-33-44
E-mail: vr@aradio.ru
??? ????: http://www.avtoradio.ru