[user]

Элементарная задача: НАТ для icmp пакетов

172.19.4.254 - принадлежит другому роутеру, и пакеты от него приходят на шлюз "как есть", через eth1

eth0.990 - смотрит в сторону провайдера.

 

прописываем iptables
[0:0] -A POSTROUTING -s 172.19.4.254/32 -o eth0.990 -p icmp -j SNAT --to-source 1.2.3.4

[0:0] -A POSTROUTING -s 172.19.4.254/32 -o eth0.990 -j MASQUERADE

 

а вот фиг:

tshark -nta -i eth0.990 host 172.19.4.254 and proto ICMP
Capturing on 'eth0.990'
    1 14:34:04.255576453 172.19.4.254 → 83.97.20.35  ICMP 86 Destination unreachable (Host unreachable)
    2 14:34:04.263094684 172.19.4.254 → 196.52.43.128 ICMP 86 Destination unreachable (Host unreachable)
    3 14:34:04.282221431 172.19.4.254 → 185.39.11.38 ICMP 86 Destination unreachable (Host unreachable)
    4 14:34:04.292742038 172.19.4.254 → 51.38.103.218 ICMP 590 Destination unreachable (Fragmentation needed)
    5 14:34:04.292775141 172.19.4.254 → 51.38.103.218 ICMP 590 Destination unreachable (Fragmentation needed)
    6 14:34:04.293790866 172.19.4.254 → 51.38.103.218 ICMP 590 Destination unreachable (Fragmentation needed)

 

в правила не попало:

iptables-save -c 
[0:0]                -A POSTROUTING -s 172.19.4.254/32 -o eth0.990 -p icmp -j SNAT --to-source 1.2.3.4

[12345:XXXX6] -A POSTROUTING -s 172.19.4.254/32 -o eth0.990 -j MASQUERADE

- то есть ранее трафик IP 172.19.4.254/32 нигде не обрабатывается, и свистит мимо "-p icmp"

 

iptables-save -c | grep icmp
[0:0] -A POSTROUTING -s 172.19.4.254/32 -o eth0.990 -p icmp -j SNAT --to-source 1.2.3.4
[14:421] -A MYSHAPER-IN -i eth0.990 -p icmp -m mark --mark 0x0 -j MARK --set-xmark 0x3010/0xffffffff
- и ICMP нигде раньше не обрабатывается.

 

 

[user]

 iptables-save -c | grep LOG
[0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 1 -j LOG
[0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 2 -j LOG
[0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 3 -j LOG
[0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 4 -j LOG
[0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 5 -j LOG
[0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 6 -j LOG
[0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 7 -j LOG
[6:480] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 8 -j LOG

 

 

tshark -nta -i eth0.990 -c 10 host 172.19.4.254 and proto ICMP
Capturing on 'eth0.990'
    1 15:15:44.613903180 172.19.4.254 → 197.63.117.17 ICMP 86 Destination unreachable (Host unreachable)
    2 15:15:44.658591897 172.19.4.254 → 58.228.159.253 ICMP 86 Destination unreachable (Host unreachable)
    3 15:15:44.678200493 172.19.4.254 → 50.78.132.225 ICMP 86 Destination unreachable (Host unreachable)
    4 15:15:44.695856784 172.19.4.254 → 46.39.51.215 ICMP 90 Destination unreachable (Host unreachable)
    5 15:15:44.710039862 172.19.4.254 → 188.69.193.87 ICMP 94 Destination unreachable (Host unreachable)
    6 15:15:44.717459074 172.19.4.254 → 77.121.70.11 ICMP 86 Destination unreachable (Host unreachable)
    7 15:15:44.809850348 172.19.4.254 → 185.153.180.241 ICMP 86 Destination unreachable (Host unreachable)
    8 15:15:44.857079080 172.19.4.254 → 103.133.106.81 ICMP 86 Destination unreachable (Host unreachable)
    9 15:15:44.887351358 172.19.4.254 → 207.180.222.211 ICMP 86 Destination unreachable (Host unreachable)
   10 15:15:45.061933421 172.19.4.254 → 95.29.94.14  ICMP 94 Destination unreachable (Host unreachable)
 

 

Изменено 16 июня, 2020 пользователем user