Hi,
I am working with SNAT and DNAT rules.
When I send a packet {[IP1]} out it goes through the SNAT
rules and
source field in ip header gets changed.
Now if there is an ICMP response { [IP2][ICMP][IP1] } for
this packet,
It goes through DNAT rules. IP2 gets DNATted but the ip
header (IP1)
inside the ICMP packet also gets DNATted.
src {SNAT(169.254.1.1) = 10.10.10.10} ----------> dst
{10.10.10.11}
icmp comes from dst.
dst {10.10.10.11} -------------------------> src
{DNAT(10.10.10.10) =
169.254.1.1}
the IP packet inside icmp header should have
src = 10.10.10.10 and dst = 10.10.10.11 but it shows src =
169.254.1.1
and dst = 10.10.10.11
means for ICMP responses both ip headers (main ip header and
the one
inside icmp packet) are going through DNAT.
Is it the connection tracking or there is special handling
done in the kernel?
--
Thanks
Pankaj Jain
|