https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835894#M24496 Hi,<BR /><BR />echo-reply packets are not supposed to go into the nat table. I guess you will be able to see them in the INPUT, FORWARD and OUTPUT chains of the main table.<BR /><BR /><BR />cheers!<BR />George Thu, 03 Aug 2006 07:24:00 GMT George Georgiev 2006-08-03T07:24:00Z https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835887#M24489 hi all,<BR />I am trying to test iptables nat chains by matching ping command with LOG target.I am not getting any LOG matching the echo-reply; only i detect the echo-request packet in /var/log/messages.<BR /><BR />Does anyone have any idea ?<BR /> thanks Wed, 02 Aug 2006 09:19:14 GMT https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835887#M24489 linuxtolinux 2006-08-02T09:19:14Z https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835888#M24490 What's the output of iptables -L? Wed, 02 Aug 2006 11:18:48 GMT https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835888#M24490 George Liu_4 2006-08-02T11:18:48Z https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835889#M24491 Shalom,<BR /><BR />Quick fix:<BR /><BR /><A href="http://www.fs-security.com/" target="_blank">http://www.fs-security.com/</A><BR /><BR />This handy little product sets up iptables with logging. You can steal iptables code from it and I've used it as a firewall router for my supposedly sold business in the US and found it is unbreachable. It is much better than I am at writing iptables code.<BR /><BR />SEP Wed, 02 Aug 2006 11:46:14 GMT https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835889#M24491 Steven E. Protter 2006-08-02T11:46:14Z https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835890#M24492 hi <BR />This is the output of the nat listing:<BR /># /sbin/iptables -L -t nat<BR />Chain PREROUTING (policy ACCEPT)<BR />target prot opt source destination <BR />LOG icmp -- anywhere anywhere icmp echo-request LOG level warning prefix `nat PREROUTING:' <BR />LOG icmp -- anywhere anywhere icmp echo-reply LOG level warning prefix `nat PREROUTING:' <BR /><BR />Chain POSTROUTING (policy ACCEPT)<BR />target prot opt source destination <BR />LOG icmp -- anywhere anywhere icmp echo-request LOG level warning prefix `nat POSTROUTING:' <BR />LOG icmp -- anywhere anywhere icmp echo-reply LOG level warning prefix `nat POSTROUTING:' <BR /><BR />Chain OUTPUT (policy ACCEPT)<BR />target prot opt source destination <BR />LOG icmp -- anywhere anywhere icmp echo-request LOG level warning prefix `nat OUTPUT:' <BR />LOG icmp -- anywhere anywhere <BR /><BR /><BR />Regards Thu, 03 Aug 2006 02:26:44 GMT https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835890#M24492 linuxtolinux 2006-08-03T02:26:44Z https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835891#M24493 are you sure that icmp is not drop in any rule before?<BR />afaik NAT rules on the bottom, and iptables are first match wins(so if there is any rule before regarding icmp it's aplaid.) Thu, 03 Aug 2006 02:30:59 GMT https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835891#M24493 g33k 2006-08-03T02:30:59Z https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835892#M24494 hi<BR />I applied only the above nat rules only.<BR />and all the other default policies are ACCEPT.<BR /><BR /> Thu, 03 Aug 2006 03:03:19 GMT https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835892#M24494 linuxtolinux 2006-08-03T03:03:19Z https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835893#M24495 I supose you'll answer yes but just to be sure that it's problem with iptables...<BR />syslog is running?<BR />packet forwarding is enabled?<BR />ping is OK you are ping form system behind NAT some other system and getting answers? Thu, 03 Aug 2006 05:04:53 GMT https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835893#M24495 g33k 2006-08-03T05:04:53Z https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835894#M24496 Hi,<BR /><BR />echo-reply packets are not supposed to go into the nat table. I guess you will be able to see them in the INPUT, FORWARD and OUTPUT chains of the main table.<BR /><BR /><BR />cheers!<BR />George Thu, 03 Aug 2006 07:24:00 GMT https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835894#M24496 George Georgiev 2006-08-03T07:24:00Z https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835895#M24497 I would like you to post <BR /><BR />iptable -L<BR />not <BR />iptables -L -t nat<BR /><BR />reason: the icmp traffic could be in the earlier rules Fri, 04 Aug 2006 13:45:42 GMT https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835895#M24497 George Liu_4 2006-08-04T13:45:42Z https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835896#M24498 THanks a lot Mon, 07 Aug 2006 02:47:06 GMT https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835896#M24498 linuxtolinux 2006-08-07T02:47:06Z https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835897#M24499 If you have you log rule in the -t nat you will only see the initial packet as the reply is considered related and doesn hit the nat table <BR /><BR />have a look at <BR /><A href="http://l7-filter.sourceforge.net/PacketFlow.png" target="_blank">http://l7-filter.sourceforge.net/PacketFlow.png</A><BR /><BR />place your log rule in the input or foward chain of the filter table (the detault one)<BR /><BR /> Sun, 13 Aug 2006 22:32:07 GMT https://community.hpe.com/t5/operating-system-linux/nat-iptables-rules/m-p/3835897#M24499 Alexander Samad 2006-08-13T22:32:07Z