hello,
I set a 4 computer LAN with configuration as
I added following to iptables
on both Routers as both have eth0 directly connected.
Now,when i ping from HostA to HostB through Router1 and Router2,Router1 has to SNAT and it did and sends a ping to HostB with HostB receiving src ip of
ping packet as that Router1 but reverse pong packet from HostB to HostA does not changes src ip at Router2. why?

Nobody knows why SNAT is not working on Router2? Is any more info required?

I don't see any SNAT rules there...

thats strange because Router1 changes srcip of Hosta to its ip 10.1.1.1 when ping packet is sent to hostB from HostA.
If the rules that i specified are not doing that thing then does that mean routers have default behaviour of changing source ip of outgoing packet?

Do you have "echo 1 > /proc/sys/net/ipv4/ip_forward" performed on both machines?

Question: From HostA are you pinging HostB (172.16.1.100), or are you pinging Router2 (10.1.1.100)

You should be pinging Router2 and redirecting the ICMP echo request to HostB from Router2. Otherwise you will end up with routing rather than NAT at Router2.

If you make a default policy of "DROP" on inbound eth0, you shouldn't be able to ping HostB the way you are.

Hello Matir,
I have already "echo 1 > /proc/sys/net/ipv4/ip_forward" performed on both machines.

Hello SirGertrude,
From HostA(192.168.1.100) I am pinging HostB (172.16.1.100).
What i want Among Set 3 Networks whenever packet generated for HostB(172.16.1.100) At HostA(192.168.1.100) Router1 has to SNAT for Outgoing Packet from 192.168.1.100 to 10.1.1.1
Similarly, whenever packet generated for HostA(192.168.1.100) At HostB(172.16.1.100), Router2 has to SNAT for Outgoing Packet from 172.16.1.100 to 10.1.1.100
What should i do to achieve this? Because in my current configuartion only Ping originating Host's Router able to SNAT but nor for reply packet from otherside by other sides's Router. why?

This is not working directly to your host because you only have established and related connections accepted comming into your external interface (eth0) out your internal interface (eth1) so anything that tries to come in into host b will not be received originiting from host a because is initial traffic and not established and related
iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT

try creating a couple of addtional rules to test ICMP above this that says

iptables -A FORWARD -p icmp -i eth0 -o eth1 -d 192.168.1.100 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p icmp -j DNAT --to-destination 192.168.1.100

and you also want this done on router B that says the same thing for the 172 address

actually that second rule is not needed since you are trying to ping it directly
as long as both routers have the routes for those networks, router 1 knows to forward 172 to router 2 and vice-versa

Let me clarify my response. What you should be doing is NAT on both routers. What you are currently doing is NAT on Router1 and routing on Router2. In order for SNAT to occur, the packet must reach the NAT table, which falls after the CONNTRACK and MANGLE table. CONNTRACK keeps track of connections and their state. MANGLE usually just marks a packet.

Here are the steps in your current scenario:

1. Packet leaves HostA (Src: 192.168.1.100, Dst: 172.16.1.100)

2. Packet hits Router1, SNAT takes place for connection originating from within (new Src: 10.1.1.1, Dst: 172.16.1.100)

3. Packet hits Router2, Router2 looks in routing table and finds network 172.16.1.0 is located on eth1. (Src: 10.1.1.1, Dst: 172.16.1.100)

4. Packet is routed to 172.16.1.100 and CONNTRACK marks it for its return. (Src: 10.1.1.1, Dst: 172.16.1.100)

5. HostB recives packet and replies. (Src: 172.16.1.100, Dst: 10.1.1.1)

6. Router2 receives packet and CONNTRACK looks at it FIRST. CONNTRACK recognizes the packet as the reply to the initial request and the packet is accepted to be further routed through the network. Neither the MANGLE nor NAT table even see the packet, therefore it will not go through SNAT process. (Src: 172.16.1.100, Dst: 10.1.1.1)

7. Router1 receives packet (checks CONNTRACK - nothing, checks NAT - sees entry awaiting packets return due to SNAT), then changes destination (DNAT) to HostA. (Src: 172.16.1.100, Dst: 10.1.1.1)


If you were to somehow rig Router2 to preform SNAT on the return packet, it would hit Router1 and be lost. This is because Router1 does not have an entry for a packet from 10.1.1.100, it only has an entry awaiting a packet from 172.16.1.100.

How to do what you want:

Use DNAT at Router2 to to froward ICMP echo requests to HostB (172.16.1.100), then ping Router2 rather than HostB and the ICMP echo request will hit HostB. Here are the steps the packet would take in this case:

1. Packet leaves HostA (Src: 192.168.1.100, Dst: 10.1.1.100)

2. Packet hits Router1, SNAT takes place for connection originating from within (new Src: 10.1.1.1, Dst: 10.1.1.100)

3. Packet hits Router2, Router2 looks at NAT table and finds DNAT entry for ICMP echo request. DNAT changes destination to HostB. (Src: 10.1.1.1, Dst: 172.16.1.100)

4. HostB receives packet and replies (Src: 172.16.1.100, Dst: 10.1.1.1)

5. Router2 receives packet and CONNTRACK looks at it FIRST - nothing, NAT - realizes that this is a response to a previous packet (Due to DNAT) and preforms SNAT. (Src: 10.1.1.100, Dst: 10.1.1.1)

6. Router1 receives packet and realizes that this connection was a result of previous SNATed connection and preforms DNAT to the original source. (Src: 10.1.1.100, Dst: 192.168.1.100)

Done. Neither Host knew who the other host really was. I hopes this makes sense

Can you please again specify me what iptable rules should i add at Router1 and Router2 Plzzzzzzz

I think what you want to do, per SirGertrude direction is this rule on router 1, make sure this are all on top of the other rules

iptables -A FORWARD -p icmp -i eth0 -o eth1 -d 192.168.1.100 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p icmp -j DNAT --to-destination 192.168.1.100

and this on router 2, make sure this are all on top of the other rules

iptables -A FORWARD -p icmp -i eth0 -o eth1 -d 172.16.1.100 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p icmp -j DNAT --to-destination 172.16.1.100

and went you ping from host A do a ping to 10.1.1.100 this will be routed to host B in router 2 and it will echo reply back

and from host B do a ping to 10.1.1.1 and this will be routed to host A on router 1 and it will echo reply back

this is assuming that the default gateway for the hosts to ALL traffic is the routers

hello all,
Still not able to acheive what i want. Either my network configuration is wrong or I am not able to write iptables rule.
The problem that i am facing is that i want to send any packet(tcp,udp,icmp) from HostA to HostB which must go through Router1 and Router2. For that i added ip forwarding rule

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Then i add MASQURADE Rule

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
But only Request packet gets its source IP changed not Reply packet does SNAT on Router2 when a Ping packet is sent from HostA to HostB.
As SirGertrude said its because ip_conntrack but its on Both Router1 and Router2. Then how to hack ip_conntack on Router2 to force it do SNAT?