1

I've got the following configuration:

vlan123@eth0 - range 1.2.3.0/24, with 1.2.3.4 assigned to it
br2000 - range 10.2.3.0/24

In the ip route I see:

10.2.3.0/24 dev br2000 proto kernel scope link src 10.2.3.1

In the iptables I rewrite the destination of incoming packets (table nat):

-A PREROUTING -d 1.2.3.4/32 -j DNAT --to-destination 10.2.3.4

If I try to ping the address 1.2.3.4 now, I do not get the forwarding I expect unfortunately. ip route get 10.2.3.4 from 2.3.4.5 iif vlan123 returns:

RTNETLINK answers: Invalid cross-device link

Which seems to confirm that the proper routing is not there. What could be the problem?

IP forwarding is enabled in sysctl and I also disabled the rp_filter for testing.

viraptor
  • 1,296
  • 6
  • 21
  • 41

1 Answers1

0

If you want to rewrite the incoming packets, you should add rules to the PREROUTING chain; OUTPUT chain, in the nat rules, is used only for local generated packets.

Update 1:

Once you set that in the PREROUTING table, check that the target host (10.2.3.4) actually has 10.2.3.1 as its default gateway, otherwise the answer will never reach the source.

Also add a logging rule in the FORWARD chain to see if your packet is actually rewritten properly and sent to the target host.

Marco Bizzarri
  • 1,358
  • 1
  • 11
  • 11
  • How does that explain the `ip route get` result though? The addresses I tested are the ones I'd obtain after rewriting, so iptables is not involved anyways - yet I still get the invalid routing error. – viraptor Jul 29 '11 at 12:03
  • Now I did it in PREROUTING - unfortunately this didn't change anything - the packet still goes via iptables and... disappears. – viraptor Jul 29 '11 at 15:33
  • Did you ping when in PREROUTING from inside the same host or from another host? – Marco Bizzarri Jul 29 '11 at 18:15
  • Another host. This is pretty much the only use case I care about. – viraptor Jul 30 '11 at 00:14
  • Is it ipforwarding enabled on that host? What is the result of sysctl -a | grep ip_forward? Please add it to the question, rather than answering here. – Marco Bizzarri Jul 30 '11 at 11:27
  • Updated, forwarding is enabled. – viraptor Jul 30 '11 at 12:11