* doubt with NAPT on icmp packet
[not found] <CADAe=+LWJQxnuMT2LW4Bm7pJAsHP_PHNpde0Vpue4ULMMj17Wg@mail.gmail.com>
@ 2011-10-09 6:54 ` Ajith Adapa
2011-10-09 8:47 ` Ajith Adapa
0 siblings, 1 reply; 3+ messages in thread
From: Ajith Adapa @ 2011-10-09 6:54 UTC (permalink / raw)
To: netfilter-devel
Hi,
I have a doubt regarding the NAPT mechanism part of netfilter in linux
kernel for a ICMP packet. I am using Redhat 5.7 64 bit OS.
In case of ICMP packets basically it is the echoid and source address
are used as a tuple or a key. So based on the NAPT rules present in
iptables the echo id
module in icmp packet has to be modified.
But its not happening so. Echoid in icmp packet remains same. My
iptable nat rules are shown below. Ideal case icmp echo id has to
modified to the range as shown below.
I am sorry if I am wrong .. anyway to debug such a scenarios ?
iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT all -- eth1 * 0.0.0.0/0
0.0.0.0/0 to:192.168.1.1
Chain POSTROUTING (policy ACCEPT 104 packets, 6628 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE icmp -- * eth1 192.168.1.0/24
0.0.0.0/0 masq ports: 63232-63359
Regards,
Ajith
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: doubt with NAPT on icmp packet
2011-10-09 6:54 ` doubt with NAPT on icmp packet Ajith Adapa
@ 2011-10-09 8:47 ` Ajith Adapa
2011-10-10 3:24 ` Ajith Adapa
0 siblings, 1 reply; 3+ messages in thread
From: Ajith Adapa @ 2011-10-09 8:47 UTC (permalink / raw)
To: netfilter-devel
Hi,
It seems IP MASQUERADING is not working in the case of icmp packet
same rules for a TCP and UDP packet are working without any issue..
Is there any way to debug in this case ?
Regards,
Ajith
On Sun, Oct 9, 2011 at 12:24 PM, Ajith Adapa <adapa.ajith@gmail.com> wrote:
> Hi,
>
> I have a doubt regarding the NAPT mechanism part of netfilter in linux
> kernel for a ICMP packet. I am using Redhat 5.7 64 bit OS.
>
> In case of ICMP packets basically it is the echoid and source address
> are used as a tuple or a key. So based on the NAPT rules present in
> iptables the echo id
> module in icmp packet has to be modified.
>
> But its not happening so. Echoid in icmp packet remains same. My
> iptable nat rules are shown below. Ideal case icmp echo id has to
> modified to the range as shown below.
> I am sorry if I am wrong .. anyway to debug such a scenarios ?
>
> iptables -t nat -L -nv
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DNAT all -- eth1 * 0.0.0.0/0
> 0.0.0.0/0 to:192.168.1.1
> Chain POSTROUTING (policy ACCEPT 104 packets, 6628 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 MASQUERADE icmp -- * eth1 192.168.1.0/24
> 0.0.0.0/0 masq ports: 63232-63359
>
> Regards,
> Ajith
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: doubt with NAPT on icmp packet
2011-10-09 8:47 ` Ajith Adapa
@ 2011-10-10 3:24 ` Ajith Adapa
0 siblings, 0 replies; 3+ messages in thread
From: Ajith Adapa @ 2011-10-10 3:24 UTC (permalink / raw)
To: netfilter-devel
In my case even log level wouldnt help me as the MASQUERADE rule is on
postrouting chain of nat which is the last chain. Once it hits the
rule with target as MASQUERADE is there a way to see the output of it
?
But why does it happen so with an ICMP packet ?
Regards,
Ajith
On Sun, Oct 9, 2011 at 2:17 PM, Ajith Adapa <adapa.ajith@gmail.com> wrote:
> Hi,
>
> It seems IP MASQUERADING is not working in the case of icmp packet
> same rules for a TCP and UDP packet are working without any issue..
>
> Is there any way to debug in this case ?
>
> Regards,
> Ajith
>
>
>
>
> On Sun, Oct 9, 2011 at 12:24 PM, Ajith Adapa <adapa.ajith@gmail.com> wrote:
>> Hi,
>>
>> I have a doubt regarding the NAPT mechanism part of netfilter in linux
>> kernel for a ICMP packet. I am using Redhat 5.7 64 bit OS.
>>
>> In case of ICMP packets basically it is the echoid and source address
>> are used as a tuple or a key. So based on the NAPT rules present in
>> iptables the echo id
>> module in icmp packet has to be modified.
>>
>> But its not happening so. Echoid in icmp packet remains same. My
>> iptable nat rules are shown below. Ideal case icmp echo id has to
>> modified to the range as shown below.
>> I am sorry if I am wrong .. anyway to debug such a scenarios ?
>>
>> iptables -t nat -L -nv
>> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 DNAT all -- eth1 * 0.0.0.0/0
>> 0.0.0.0/0 to:192.168.1.1
>> Chain POSTROUTING (policy ACCEPT 104 packets, 6628 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 MASQUERADE icmp -- * eth1 192.168.1.0/24
>> 0.0.0.0/0 masq ports: 63232-63359
>>
>> Regards,
>> Ajith
>>
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-10-10 3:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CADAe=+LWJQxnuMT2LW4Bm7pJAsHP_PHNpde0Vpue4ULMMj17Wg@mail.gmail.com>
2011-10-09 6:54 ` doubt with NAPT on icmp packet Ajith Adapa
2011-10-09 8:47 ` Ajith Adapa
2011-10-10 3:24 ` Ajith Adapa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).