On Monday 10 June 2002 12:17 pm, [EMAIL PROTECTED] wrote: > when I use : > > iptables -I POSTROUTING -t nat -p icmp --icmp-type \ > fragmentation-needed -j LOG --log-prefix "icmp SNAT POST " > > iptables -I PREROUTING -t mangle -p icmp --icmp-type \ > fragmentation-needed -j LOG --log-prefix "icmp SNAT PRE " > > I can see them in PREROUTING but not in POSTROUTING...
Do you have a suitable FORWARDing rule to transfer these packets across the box ? When you log them in the PREROUTING chain, they don't have the destination address of the netfilter box itself, do they ? (ie they're stopping on the local box and not trying to route any further...) Antony. > On Mon, 10 Jun 2002, Antony Stone wrote: > > On Monday 10 June 2002 11:36 am, [EMAIL PROTECTED] wrote: > > > > > I would like to SNAT icmp fragmentation-needed messages that have > > > > > source address from private network range (RFC1918), I have tried > > > > > something like: > > > > > > > > > > iptables -t nat -I POSTROUTING -j SNAT --to real_address -p icmp > > > > > \ --icmp-type fragmentation-needed -s 192.168.0.0/16 > > > > > > > > > > but it does not work. > > > > > > > > What happens if you put a logging rule immediately before this one: > > > > > > > > iptables -I POSTROUTING -t nat -s 192.168.0.0/16 -p icmp --icmp-type > > > > fragmentation-needed -j LOG --log-prefix "icmp SNAT" > > > > > > > > Do you get any packets logged ? > > > > > > Nothing gets logged...... > > > > In that case you have no packets of the type you are trying to match..... > > > > ...which is why they don't get SNATted. > > > > > > > > Antony.
