Re: Help with routing ping requests

Re: Help with routing ping requests

[Donald Schlicht]

I am using Wireshark to sniff IP packets on both the WAN side and the
LAN side. It is good to know that the packets are passing through the
tables correctly. Anyone have an idea why I'm not seeing anything on
the LAN side?

>> I have an application where I need to configure a router to pass through
>> ping requests (ICMP type 8) through to the LAN port. I have a Linksys
>> WRT54GS with tiny DD-WRT V24 SP2 installed. I am adding the following
>> iptables rules:
>>
>> iptables -t nat -I PREROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -j DNAT
>> --to-destination 192.168.1.200
>> iptables -t filter -I FORWARD -p icmp --icmp-type 8 -s 72.64.140.50 -d
>> 192.168.1.200 -j ACCEPT
>>  iptables -t nat -I POSTROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -d
>> 192.168.1.200 -j ACCEPT
>>
>>  The intent is that the first rule will change an incoming echo request
>> destination to the unit on the LAN which I want to receive the ping request.
>>
>> The second rule allows the modified echo request to pass through the
>> FORWARD table. And the last one allows the modified echo request to pass
>> through the POSTROUTING table. When I send a ping to the router with four
>> tries, I get no pings out the LAN.
>
>What do you mean exactly ? How do you know ?
>
>> Using iptables -L -v -n I can see were
>> rule #1 passes one packet (but not four), rule #2 passes four packets
>> (good!) and rule #3 passes 1 packet.
>
>This is expected behaviour. Chains in the nat table see only the first
>packet of any "connection". NAT operations applied to this packet are
>implicitly applied to subsequent packets of the same connection. A ping
>sequence is considered as a connection.

Re: Help with routing ping requests

[Neal P. Murphy]

On Mon, 20 Jul 2015 09:05:29 -0400
Donald Schlicht <dschlic1@gmail.com> wrote:

> I am using Wireshark to sniff IP packets on both the WAN side and the
> LAN side. It is good to know that the packets are passing through the
> tables correctly. Anyone have an idea why I'm not seeing anything on
> the LAN side?
> 
> >> I have an application where I need to configure a router to pass
> >> through ping requests (ICMP type 8) through to the LAN port. I
> >> have a Linksys WRT54GS with tiny DD-WRT V24 SP2 installed. I am
> >> adding the following iptables rules:
> >>
> >> iptables -t nat -I PREROUTING -p icmp --icmp-type 8 -s
> >> 72.64.140.50 -j DNAT --to-destination 192.168.1.200
> >> iptables -t filter -I FORWARD -p icmp --icmp-type 8 -s
> >> 72.64.140.50 -d 192.168.1.200 -j ACCEPT
> >>  iptables -t nat -I POSTROUTING -p icmp --icmp-type 8 -s
> >> 72.64.140.50 -d 192.168.1.200 -j ACCEPT

That third rule is not needed--and mayn't do anything anyway.

I added the equivalent of your PREROUTING and FORWARD rules to my
perimeter F/W; they work. (One difference: since my filter:FORWARD has
a blanket "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT"
rule, I added "-m state --state NEW" to my equivalent of your second
(FORWARD) rule.

Since *one* request gets through, we can say the NAT rule works. That
leaves FORWARD. What else is in filter:FORWARD? Your FORWARD rule maybe
in the wrong position; you may need to insert it later in the chain.

Re: Help with routing ping requests

[Donald Schlicht]

 Here is the listing from tables PREROUTING, FORWARD and POSTROUTING
after pinging the router four times:

\u@\h:\w\$ iptables -t nat -L PREROUTING -n -v
Chain PREROUTING (policy ACCEPT 2245 packets, 159K bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 DNAT       icmp --  *      *       0.0.0.0/0
0.0.0.0/0           to:192.168.1.200
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0
72.64.140.67        tcp dpt:23 to:192.168.1.1:23
    0     0 DNAT       icmp --  *      *       0.0.0.0/0
72.64.140.67        to:192.168.1.1
    0     0 TRIGGER    0    --  *      *       0.0.0.0/0
72.64.140.67        TRIGGER type:dnat match:0 relate:0
\u@\h:\w\$ iptables -L FORWARD -n -v
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   240 logaccept  icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     47   --  *      vlan1   192.168.1.0/24       0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      vlan1   192.168.1.0/24
0.0.0.0/0           tcp dpt:1723
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 TRIGGER    0    --  vlan1  br0     0.0.0.0/0
0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br0    *       0.0.0.0/0
0.0.0.0/0           state NEW
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0
\u@\h:\w\$ iptables -t nat -L POSTROUTING -n -v
Chain POSTROUTING (policy ACCEPT 4 packets, 286 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 SNAT       0    --  *      vlan1   0.0.0.0/0
0.0.0.0/0           to:72.64.140.67
    0     0 RETURN     0    --  *      br0     0.0.0.0/0
0.0.0.0/0           PKTTYPE = broadcast
    0     0 MASQUERADE  0    --  *      br0     192.168.1.0/24
192.168.1.0/24
\u@\h:\w\$

Hope this helps

On Mon, Jul 20, 2015 at 12:17 PM, Neal P. Murphy
<neal.p.murphy@alum.wpi.edu> wrote:
> On Mon, 20 Jul 2015 09:05:29 -0400
> Donald Schlicht <dschlic1@gmail.com> wrote:
>
>> I am using Wireshark to sniff IP packets on both the WAN side and the
>> LAN side. It is good to know that the packets are passing through the
>> tables correctly. Anyone have an idea why I'm not seeing anything on
>> the LAN side?
>>
>> >> I have an application where I need to configure a router to pass
>> >> through ping requests (ICMP type 8) through to the LAN port. I
>> >> have a Linksys WRT54GS with tiny DD-WRT V24 SP2 installed. I am
>> >> adding the following iptables rules:
>> >>
>> >> iptables -t nat -I PREROUTING -p icmp --icmp-type 8 -s
>> >> 72.64.140.50 -j DNAT --to-destination 192.168.1.200
>> >> iptables -t filter -I FORWARD -p icmp --icmp-type 8 -s
>> >> 72.64.140.50 -d 192.168.1.200 -j ACCEPT
>> >>  iptables -t nat -I POSTROUTING -p icmp --icmp-type 8 -s
>> >> 72.64.140.50 -d 192.168.1.200 -j ACCEPT
>
> That third rule is not needed--and mayn't do anything anyway.
>
> I added the equivalent of your PREROUTING and FORWARD rules to my
> perimeter F/W; they work. (One difference: since my filter:FORWARD has
> a blanket "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT"
> rule, I added "-m state --state NEW" to my equivalent of your second
> (FORWARD) rule.
>
> Since *one* request gets through, we can say the NAT rule works. That
> leaves FORWARD. What else is in filter:FORWARD? Your FORWARD rule maybe
> in the wrong position; you may need to insert it later in the chain.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Help with routing ping requests

[Donald Schlicht]

I have found a solution to this issue. For some reason I have to put a
SNAT in the POSTROUTING table to change the source IP address to the
LAN gateway address. Once I did that, the system started working
correctly.

Thanks for all of your help

Help with routing ping requests

[Donald Schlicht]

 I have configured iptables to custom route some icmp packets. I have
set up logging and here is the log:

Jan  1 00:01:06 TAPC kern.debug kernel: [   73.720000] icmp_prerouting
IN=eth0 OUT= MAC=e0:46:9a:41:75:7e:00:0c:29:51:5b:9f:08:00
SRC=72.64.140.50 DST=72.64.140.67 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=2192 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=17
Jan  1 00:01:06 TAPC kern.debug kernel: [   73.720000] icmp_forward
IN=eth0 OUT=br0 MAC=e0:46:9a:41:75:7e:00:0c:29:51:5b:9f:08:00
SRC=72.64.140.50 DST=192.168.1.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=2192 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=17
Jan  1 00:01:06 TAPC kern.debug kernel: [   73.720000]
icmp_postrouting IN= OUT=br0 SRC=72.64.140.50 DST=192.168.1.200 LEN=60
TOS=0x00 PREC=0x00 TTL=127 ID=2192 PROTO=ICMP TYPE=8 CODE=0 ID=1
SEQ=17
Jan  1 00:01:11 TAPC kern.debug kernel: [   78.510000] icmp_forward
IN=eth0 OUT=br0 MAC=e0:46:9a:41:75:7e:00:0c:29:51:5b:9f:08:00
SRC=72.64.140.50 DST=192.168.1.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=2193 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=18
Jan  1 00:01:16 TAPC kern.debug kernel: [   83.520000] icmp_forward
IN=eth0 OUT=br0 MAC=e0:46:9a:41:75:7e:00:0c:29:51:5b:9f:08:00
SRC=72.64.140.50 DST=192.168.1.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=2194 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=19
Jan  1 00:01:21 TAPC kern.debug kernel: [   88.510000] icmp_forward
IN=eth0 OUT=br0 MAC=e0:46:9a:41:75:7e:00:0c:29:51:5b:9f:08:00
SRC=72.64.140.50 DST=192.168.1.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=2195 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=20

The entries with prefix icmp_prerouting is from the -t nat PREROUTING
chain. The entries with prefix icmp_forward are from the -t filter
FORWARD chain. The entry with prefix icmp_postrouting is from the -t
nat POSTROUTING table. I also have loging in the INPUT and OUTPUT
chains. However no entries have been generated from those chains.

I have Wireshark connected to both the WAN side and the LAN side. I
see the packets going into the WAN which produces the above entries,
however I do not see any packets coming out either the LAN or the WAN
side.

Without any of my custom rules, I can ping the WAN interface without
issues. From within the Telenet shell I can also ping the address
192.168.1.200 without issues. On Wireshark both the incoming packets
and the outgoing packets show up as expected.

Does anyone have any idea where the outgoing packets disappear? Is br0
the correct output device so that the packet will be sent to the LAN
ports? This application is DD-WRT running on a Netgear router.

Help with routing ping requests

[Donald Schlicht]

I have an application where I need to configure a router to pass through 
ping requests (ICMP type 8) through to the LAN port. I have a Linksys 
WRT54GS with tiny DD-WRT V24 SP2 installed. I am adding the following 
iptables rules: 

iptables -t nat -I PREROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -j DNAT 
--to-destination 192.168.1.200 
iptables -t filter -I FORWARD -p icmp --icmp-type 8 -s 72.64.140.50 -d 
192.168.1.200 -j ACCEPT
 iptables -t nat -I POSTROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -d 
192.168.1.200 -j ACCEPT

 The intent is that the first rule will change an incoming echo request 
destination to the unit on the LAN which I want to receive the ping request. 

The second rule allows the modified echo request to pass through the 
FORWARD table. And the last one allows the modified echo request to pass 
through the POSTROUTING table. When I send a ping to the router with four 
tries, I get no pings out the LAN. Using iptables -L -v -n I can see were 
rule #1 passes one packet (but not four), rule #2 passes four packets 
(good!) and rule #3 passes 1 packet. At this point I am at loss as to why 
this is not working. Can someone help me out here?

Sent with AquaMail for Android
http://www.aqua-mail.com

Re: Help with routing ping requests

[Pascal Hambourg]

Donald Schlicht a écrit :
> I have an application where I need to configure a router to pass through 
> ping requests (ICMP type 8) through to the LAN port. I have a Linksys 
> WRT54GS with tiny DD-WRT V24 SP2 installed. I am adding the following 
> iptables rules: 
> 
> iptables -t nat -I PREROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -j DNAT 
> --to-destination 192.168.1.200 
> iptables -t filter -I FORWARD -p icmp --icmp-type 8 -s 72.64.140.50 -d 
> 192.168.1.200 -j ACCEPT
>  iptables -t nat -I POSTROUTING -p icmp --icmp-type 8 -s 72.64.140.50 -d 
> 192.168.1.200 -j ACCEPT
> 
>  The intent is that the first rule will change an incoming echo request 
> destination to the unit on the LAN which I want to receive the ping request. 
> 
> The second rule allows the modified echo request to pass through the 
> FORWARD table. And the last one allows the modified echo request to pass 
> through the POSTROUTING table. When I send a ping to the router with four 
> tries, I get no pings out the LAN.

What do you mean exactly ? How do you know ?

> Using iptables -L -v -n I can see were 
> rule #1 passes one packet (but not four), rule #2 passes four packets 
> (good!) and rule #3 passes 1 packet.

This is expected behaviour. Chains in the nat table see only the first
packet of any "connection". NAT operations applied to this packet are
implicitly applied to subsequent packets of the same connection. A ping
sequence is considered as a connection.