On Tue, 4 Jun 2002 [EMAIL PROTECTED] wrote: > I would like to SNAT icmp fragmentation-needed messages that have source > address from private network range (RFC1918), I have tried something like: > > iptables -t nat -I POSTROUTING -j SNAT --to real_address -p icmp \ > --icmp-type fragmentation-needed -s 192.168.0.0/16 > > but it does not work. I think that because these packets are part of > valid TCP connection, they are somehow processed by ip_conntrack > module and do not pass this rule....
Yes, ICMP error messages related to already existing connections are handled by conntrack and NAT automatically. There is no need to setup any rule for them. One only have to let trough packets with state RELATED. Regards, Jozsef - E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] WWW-Home: http://www.kfki.hu/~kadlec Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
