From: "Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>
To: netfilter@vger.kernel.org
Subject: Re: Help with routing ping requests
Date: Mon, 20 Jul 2015 12:17:03 -0400 [thread overview]
Message-ID: <20150720121703.6cd673af@playground> (raw)
In-Reply-To: <CAA0NJieGe771feM-0k5nyEqzXwfrHp+hwOt9t+=yJ7rmq+ERUg@mail.gmail.com>
On Mon, 20 Jul 2015 09:05:29 -0400
Donald Schlicht <dschlic1@gmail.com> wrote:
> I am using Wireshark to sniff IP packets on both the WAN side and the
> LAN side. It is good to know that the packets are passing through the
> tables correctly. Anyone have an idea why I'm not seeing anything on
> the LAN side?
>
> >> I have an application where I need to configure a router to pass
> >> through ping requests (ICMP type 8) through to the LAN port. I
> >> have a Linksys WRT54GS with tiny DD-WRT V24 SP2 installed. I am
> >> adding the following iptables rules:
> >>
> >> iptables -t nat -I PREROUTING -p icmp --icmp-type 8 -s
> >> 72.64.140.50 -j DNAT --to-destination 192.168.1.200
> >> iptables -t filter -I FORWARD -p icmp --icmp-type 8 -s
> >> 72.64.140.50 -d 192.168.1.200 -j ACCEPT
> >> iptables -t nat -I POSTROUTING -p icmp --icmp-type 8 -s
> >> 72.64.140.50 -d 192.168.1.200 -j ACCEPT
That third rule is not needed--and mayn't do anything anyway.
I added the equivalent of your PREROUTING and FORWARD rules to my
perimeter F/W; they work. (One difference: since my filter:FORWARD has
a blanket "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT"
rule, I added "-m state --state NEW" to my equivalent of your second
(FORWARD) rule.
Since *one* request gets through, we can say the NAT rule works. That
leaves FORWARD. What else is in filter:FORWARD? Your FORWARD rule maybe
in the wrong position; you may need to insert it later in the chain.
next prev parent reply other threads:[~2015-07-20 16:17 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-20 13:05 Help with routing ping requests Donald Schlicht
2015-07-20 16:17 ` Neal P. Murphy [this message]
2015-07-20 19:54 ` Donald Schlicht
-- strict thread matches above, loose matches on Subject: below --
2015-07-22 15:59 Donald Schlicht
2015-07-21 18:55 Donald Schlicht
[not found] <14e79fd9210.279f.a66e0210b6f036863bfeb88685b7aa6c@gmail.com>
2015-07-10 22:07 ` Donald Schlicht
2015-07-11 21:32 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150720121703.6cd673af@playground \
--to=neal.p.murphy@alum.wpi.edu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).