Hi,
I am working with SNAT and DNAT rules.
When I send a packet {[IP1]} out it goes through the SNAT rules and
source field in ip header gets changed.
Now if there is an ICMP response { [IP2][ICMP][IP1] } for this packet,
It goes through DNAT rules. IP2 gets DNATted but the ip header (IP1)
inside the ICMP packet also gets DNATted.
src {SNAT(169.254.1.1) = 10.10.10.10} ----------> dst {10.10.10.11}
icmp comes from dst.
dst {10.10.10.11} -------------------------> src {DNAT(10.10.10.10) =
169.254.1.1}
the IP packet inside icmp header should have
src = 10.10.10.10 and dst = 10.10.10.11 but it shows src = 169.254.1.1
and dst = 10.10.10.11
means for ICMP responses both ip headers (main ip header and the one
inside icmp packet) are going through DNAT.
Is it the connection tracking or there is special handling done in the kernel?
--
Thanks
Pankaj Jain
I am working with SNAT and DNAT rules.
When I send a packet {[IP1]} out it goes through the SNAT rules and
source field in ip header gets changed.
Now if there is an ICMP response { [IP2][ICMP][IP1] } for this packet,
It goes through DNAT rules. IP2 gets DNATted but the ip header (IP1)
inside the ICMP packet also gets DNATted.
src {SNAT(169.254.1.1) = 10.10.10.10} ----------> dst {10.10.10.11}
icmp comes from dst.
dst {10.10.10.11} -------------------------> src {DNAT(10.10.10.10) =
169.254.1.1}
the IP packet inside icmp header should have
src = 10.10.10.10 and dst = 10.10.10.11 but it shows src = 169.254.1.1
and dst = 10.10.10.11
means for ICMP responses both ip headers (main ip header and the one
inside icmp packet) are going through DNAT.
Is it the connection tracking or there is special handling done in the kernel?
--
Thanks
Pankaj Jain