0

I have the following NAT setup:

+--------------+       +-----------------------+     +-------------------+
|              |       |                       |     |                   |
|              |       |                       |     |                   |
|    PC 1      |       |    PC 2 (NAT)         |     |     PC 3          |
|  10.0.0.3    +-------+                       +-----+  10.0.0.4         |
|              |       |                       |     |  (NAT 172.24.4.2) |
|              |       |                       |     |                   |
+--------------+       +-----------------------+     +-------------------+

Whereas PC2 will do a NAT such that 10.0.0.4 will be translated to 172.24.4.2 during prerouting:

-A PREROUTING -d 172.24.4.2/32 -j DNAT --to-destination 10.0.0.4

When I try to ping from PC1 to PC3 with destination IP 172.24.4.2. Some how the packet is not doing any DNAT for me.

Here is what I capture on PC3:

10:15:41.017632 IP 10.0.0.3 > 172.24.4.2: ICMP echo request, id 8705, seq 0, length 64

It works fine if I change PC3 IP to a different subnet.

Does anyone know why?

Kintarō
  • 181
  • 2
  • 7

1 Answers1

0

10.0.0.4 will be translated to 172.24.4.2 during prerouting

The rule you have specified does exactly the opposite. It should translate the destination address 172.24.4.2 in the packet to 10.0.0.4.

This is the capture you should see on the PC1-facing interface on PC2, because tcpdump shows the packets on the wire, before any processing by the TCP stack.

You should check the capture on PC3-facing interface. You also need to check the routing on PC2 so that the 172.24.4.2 address is routed correctly.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
  • I am trying to ping 172.24.4.2 and the NAT box will have a route to 10.0.0.4. The purpose of this is that PC1 doesn't know 10.0.0.4 but 172.24.4.2 instead. – Kintarō Jul 17 '15 at 19:51