Help with routing ping requests

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Help with routing ping requests
       [not found] <14e79fd9210.279f.a66e0210b6f036863bfeb88685b7aa6c@gmail.com>
@ 2015-07-10 22:07 ` Donald Schlicht
  2015-07-11 21:32   ` Pascal Hambourg
  0 siblings, 1 reply; 7+ messages in thread
From: Donald Schlicht @ 2015-07-10 22:07 UTC (permalink / raw)
  To: netfilter

I have an application where I need to configure a router to pass through 
ping requests (ICMP type 8) through to the LAN port. I have a Linksys 
WRT54GS with tiny DD-WRT V24 SP2 installed. I am adding the following 
iptables rules: 

iptables -t nat -I PREROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -j DNAT 
--to-destination 192.168.1.200 
iptables -t filter -I FORWARD -p icmp --icmp-type 8 -s 72.64.140.50 -d 
192.168.1.200 -j ACCEPT
 iptables -t nat -I POSTROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -d 
192.168.1.200 -j ACCEPT

 The intent is that the first rule will change an incoming echo request 
destination to the unit on the LAN which I want to receive the ping request. 

The second rule allows the modified echo request to pass through the 
FORWARD table. And the last one allows the modified echo request to pass 
through the POSTROUTING table. When I send a ping to the router with four 
tries, I get no pings out the LAN. Using iptables -L -v -n I can see were 
rule #1 passes one packet (but not four), rule #2 passes four packets 
(good!) and rule #3 passes 1 packet. At this point I am at loss as to why 
this is not working. Can someone help me out here?

Sent with AquaMail for Android
http://www.aqua-mail.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Help with routing ping requests
  2015-07-10 22:07 ` Donald Schlicht
@ 2015-07-11 21:32   ` Pascal Hambourg
  0 siblings, 0 replies; 7+ messages in thread
From: Pascal Hambourg @ 2015-07-11 21:32 UTC (permalink / raw)
  To: Donald Schlicht; +Cc: netfilter

Donald Schlicht a écrit :
> I have an application where I need to configure a router to pass through 
> ping requests (ICMP type 8) through to the LAN port. I have a Linksys 
> WRT54GS with tiny DD-WRT V24 SP2 installed. I am adding the following 
> iptables rules: 
> 
> iptables -t nat -I PREROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -j DNAT 
> --to-destination 192.168.1.200 
> iptables -t filter -I FORWARD -p icmp --icmp-type 8 -s 72.64.140.50 -d 
> 192.168.1.200 -j ACCEPT
>  iptables -t nat -I POSTROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -d 
> 192.168.1.200 -j ACCEPT
> 
>  The intent is that the first rule will change an incoming echo request 
> destination to the unit on the LAN which I want to receive the ping request. 
> 
> The second rule allows the modified echo request to pass through the 
> FORWARD table. And the last one allows the modified echo request to pass 
> through the POSTROUTING table. When I send a ping to the router with four 
> tries, I get no pings out the LAN.

What do you mean exactly ? How do you know ?

> Using iptables -L -v -n I can see were 
> rule #1 passes one packet (but not four), rule #2 passes four packets 
> (good!) and rule #3 passes 1 packet.

This is expected behaviour. Chains in the nat table see only the first
packet of any "connection". NAT operations applied to this packet are
implicitly applied to subsequent packets of the same connection. A ping
sequence is considered as a connection.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Help with routing ping requests
@ 2015-07-20 13:05 Donald Schlicht
  2015-07-20 16:17 ` Neal P. Murphy
  0 siblings, 1 reply; 7+ messages in thread
From: Donald Schlicht @ 2015-07-20 13:05 UTC (permalink / raw)
  To: netfilter

I am using Wireshark to sniff IP packets on both the WAN side and the
LAN side. It is good to know that the packets are passing through the
tables correctly. Anyone have an idea why I'm not seeing anything on
the LAN side?

>> I have an application where I need to configure a router to pass through
>> ping requests (ICMP type 8) through to the LAN port. I have a Linksys
>> WRT54GS with tiny DD-WRT V24 SP2 installed. I am adding the following
>> iptables rules:
>>
>> iptables -t nat -I PREROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -j DNAT
>> --to-destination 192.168.1.200
>> iptables -t filter -I FORWARD -p icmp --icmp-type 8 -s 72.64.140.50 -d
>> 192.168.1.200 -j ACCEPT
>>  iptables -t nat -I POSTROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -d
>> 192.168.1.200 -j ACCEPT
>>
>>  The intent is that the first rule will change an incoming echo request
>> destination to the unit on the LAN which I want to receive the ping request.
>>
>> The second rule allows the modified echo request to pass through the
>> FORWARD table. And the last one allows the modified echo request to pass
>> through the POSTROUTING table. When I send a ping to the router with four
>> tries, I get no pings out the LAN.
>
>What do you mean exactly ? How do you know ?
>
>> Using iptables -L -v -n I can see were
>> rule #1 passes one packet (but not four), rule #2 passes four packets
>> (good!) and rule #3 passes 1 packet.
>
>This is expected behaviour. Chains in the nat table see only the first
>packet of any "connection". NAT operations applied to this packet are
>implicitly applied to subsequent packets of the same connection. A ping
>sequence is considered as a connection.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Help with routing ping requests
  2015-07-20 13:05 Help with routing ping requests Donald Schlicht
@ 2015-07-20 16:17 ` Neal P. Murphy
  2015-07-20 19:54   ` Donald Schlicht
  0 siblings, 1 reply; 7+ messages in thread
From: Neal P. Murphy @ 2015-07-20 16:17 UTC (permalink / raw)
  To: netfilter

On Mon, 20 Jul 2015 09:05:29 -0400
Donald Schlicht <dschlic1@gmail.com> wrote:

> I am using Wireshark to sniff IP packets on both the WAN side and the
> LAN side. It is good to know that the packets are passing through the
> tables correctly. Anyone have an idea why I'm not seeing anything on
> the LAN side?
> 
> >> I have an application where I need to configure a router to pass
> >> through ping requests (ICMP type 8) through to the LAN port. I
> >> have a Linksys WRT54GS with tiny DD-WRT V24 SP2 installed. I am
> >> adding the following iptables rules:
> >>
> >> iptables -t nat -I PREROUTING -p icmp --icmp-type 8 -s
> >> 72.64.140.50 -j DNAT --to-destination 192.168.1.200
> >> iptables -t filter -I FORWARD -p icmp --icmp-type 8 -s
> >> 72.64.140.50 -d 192.168.1.200 -j ACCEPT
> >>  iptables -t nat -I POSTROUTING -p icmp --icmp-type 8 -s
> >> 72.64.140.50 -d 192.168.1.200 -j ACCEPT

That third rule is not needed--and mayn't do anything anyway.

I added the equivalent of your PREROUTING and FORWARD rules to my
perimeter F/W; they work. (One difference: since my filter:FORWARD has
a blanket "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT"
rule, I added "-m state --state NEW" to my equivalent of your second
(FORWARD) rule.

Since *one* request gets through, we can say the NAT rule works. That
leaves FORWARD. What else is in filter:FORWARD? Your FORWARD rule maybe
in the wrong position; you may need to insert it later in the chain.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Help with routing ping requests
  2015-07-20 16:17 ` Neal P. Murphy
@ 2015-07-20 19:54   ` Donald Schlicht
  0 siblings, 0 replies; 7+ messages in thread
From: Donald Schlicht @ 2015-07-20 19:54 UTC (permalink / raw)
  To: netfilter

 Here is the listing from tables PREROUTING, FORWARD and POSTROUTING
after pinging the router four times:

\u@\h:\w\$ iptables -t nat -L PREROUTING -n -v
Chain PREROUTING (policy ACCEPT 2245 packets, 159K bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 DNAT       icmp --  *      *       0.0.0.0/0
0.0.0.0/0           to:192.168.1.200
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0
72.64.140.67        tcp dpt:23 to:192.168.1.1:23
    0     0 DNAT       icmp --  *      *       0.0.0.0/0
72.64.140.67        to:192.168.1.1
    0     0 TRIGGER    0    --  *      *       0.0.0.0/0
72.64.140.67        TRIGGER type:dnat match:0 relate:0
\u@\h:\w\$ iptables -L FORWARD -n -v
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   240 logaccept  icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     47   --  *      vlan1   192.168.1.0/24       0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      vlan1   192.168.1.0/24
0.0.0.0/0           tcp dpt:1723
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 TRIGGER    0    --  vlan1  br0     0.0.0.0/0
0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br0    *       0.0.0.0/0
0.0.0.0/0           state NEW
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0
\u@\h:\w\$ iptables -t nat -L POSTROUTING -n -v
Chain POSTROUTING (policy ACCEPT 4 packets, 286 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 SNAT       0    --  *      vlan1   0.0.0.0/0
0.0.0.0/0           to:72.64.140.67
    0     0 RETURN     0    --  *      br0     0.0.0.0/0
0.0.0.0/0           PKTTYPE = broadcast
    0     0 MASQUERADE  0    --  *      br0     192.168.1.0/24
192.168.1.0/24
\u@\h:\w\$

Hope this helps

On Mon, Jul 20, 2015 at 12:17 PM, Neal P. Murphy
<neal.p.murphy@alum.wpi.edu> wrote:
> On Mon, 20 Jul 2015 09:05:29 -0400
> Donald Schlicht <dschlic1@gmail.com> wrote:
>
>> I am using Wireshark to sniff IP packets on both the WAN side and the
>> LAN side. It is good to know that the packets are passing through the
>> tables correctly. Anyone have an idea why I'm not seeing anything on
>> the LAN side?
>>
>> >> I have an application where I need to configure a router to pass
>> >> through ping requests (ICMP type 8) through to the LAN port. I
>> >> have a Linksys WRT54GS with tiny DD-WRT V24 SP2 installed. I am
>> >> adding the following iptables rules:
>> >>
>> >> iptables -t nat -I PREROUTING -p icmp --icmp-type 8 -s
>> >> 72.64.140.50 -j DNAT --to-destination 192.168.1.200
>> >> iptables -t filter -I FORWARD -p icmp --icmp-type 8 -s
>> >> 72.64.140.50 -d 192.168.1.200 -j ACCEPT
>> >>  iptables -t nat -I POSTROUTING -p icmp --icmp-type 8 -s
>> >> 72.64.140.50 -d 192.168.1.200 -j ACCEPT
>
> That third rule is not needed--and mayn't do anything anyway.
>
> I added the equivalent of your PREROUTING and FORWARD rules to my
> perimeter F/W; they work. (One difference: since my filter:FORWARD has
> a blanket "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT"
> rule, I added "-m state --state NEW" to my equivalent of your second
> (FORWARD) rule.
>
> Since *one* request gets through, we can say the NAT rule works. That
> leaves FORWARD. What else is in filter:FORWARD? Your FORWARD rule maybe
> in the wrong position; you may need to insert it later in the chain.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Help with routing ping requests
@ 2015-07-21 18:55 Donald Schlicht
  0 siblings, 0 replies; 7+ messages in thread
From: Donald Schlicht @ 2015-07-21 18:55 UTC (permalink / raw)
  To: netfilter

 I have configured iptables to custom route some icmp packets. I have
set up logging and here is the log:

Jan  1 00:01:06 TAPC kern.debug kernel: [   73.720000] icmp_prerouting
IN=eth0 OUT= MAC=e0:46:9a:41:75:7e:00:0c:29:51:5b:9f:08:00
SRC=72.64.140.50 DST=72.64.140.67 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=2192 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=17
Jan  1 00:01:06 TAPC kern.debug kernel: [   73.720000] icmp_forward
IN=eth0 OUT=br0 MAC=e0:46:9a:41:75:7e:00:0c:29:51:5b:9f:08:00
SRC=72.64.140.50 DST=192.168.1.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=2192 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=17
Jan  1 00:01:06 TAPC kern.debug kernel: [   73.720000]
icmp_postrouting IN= OUT=br0 SRC=72.64.140.50 DST=192.168.1.200 LEN=60
TOS=0x00 PREC=0x00 TTL=127 ID=2192 PROTO=ICMP TYPE=8 CODE=0 ID=1
SEQ=17
Jan  1 00:01:11 TAPC kern.debug kernel: [   78.510000] icmp_forward
IN=eth0 OUT=br0 MAC=e0:46:9a:41:75:7e:00:0c:29:51:5b:9f:08:00
SRC=72.64.140.50 DST=192.168.1.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=2193 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=18
Jan  1 00:01:16 TAPC kern.debug kernel: [   83.520000] icmp_forward
IN=eth0 OUT=br0 MAC=e0:46:9a:41:75:7e:00:0c:29:51:5b:9f:08:00
SRC=72.64.140.50 DST=192.168.1.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=2194 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=19
Jan  1 00:01:21 TAPC kern.debug kernel: [   88.510000] icmp_forward
IN=eth0 OUT=br0 MAC=e0:46:9a:41:75:7e:00:0c:29:51:5b:9f:08:00
SRC=72.64.140.50 DST=192.168.1.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=2195 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=20

The entries with prefix icmp_prerouting is from the -t nat PREROUTING
chain. The entries with prefix icmp_forward are from the -t filter
FORWARD chain. The entry with prefix icmp_postrouting is from the -t
nat POSTROUTING table. I also have loging in the INPUT and OUTPUT
chains. However no entries have been generated from those chains.

I have Wireshark connected to both the WAN side and the LAN side. I
see the packets going into the WAN which produces the above entries,
however I do not see any packets coming out either the LAN or the WAN
side.

Without any of my custom rules, I can ping the WAN interface without
issues. From within the Telenet shell I can also ping the address
192.168.1.200 without issues. On Wireshark both the incoming packets
and the outgoing packets show up as expected.

Does anyone have any idea where the outgoing packets disappear? Is br0
the correct output device so that the packet will be sent to the LAN
ports? This application is DD-WRT running on a Netgear router.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Help with routing ping requests
@ 2015-07-22 15:59 Donald Schlicht
  0 siblings, 0 replies; 7+ messages in thread
From: Donald Schlicht @ 2015-07-22 15:59 UTC (permalink / raw)
  To: netfilter

I have found a solution to this issue. For some reason I have to put a
SNAT in the POSTROUTING table to change the source IP address to the
LAN gateway address. Once I did that, the system started working
correctly.

Thanks for all of your help

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2015-07-22 15:59 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-07-20 13:05 Help with routing ping requests Donald Schlicht
2015-07-20 16:17 ` Neal P. Murphy
2015-07-20 19:54   ` Donald Schlicht
  -- strict thread matches above, loose matches on Subject: below --
2015-07-22 15:59 Donald Schlicht
2015-07-21 18:55 Donald Schlicht
     [not found] <14e79fd9210.279f.a66e0210b6f036863bfeb88685b7aa6c@gmail.com>
2015-07-10 22:07 ` Donald Schlicht
2015-07-11 21:32   ` Pascal Hambourg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).