Farhad Farahi's questions -server

Farhad Farahi

Asked: 2017-10-09 05:11:18 +0800 CST

iptables SNAT return traffic not reaching client

I have the following design in place:

client                     linuxserver              destination
192.168.160.34             192.168.163.196           192.168.18.1

I can ping server from client and client from server, they are both on the same subnet, 192.168.160/22, I can also ping destination from server

clients ip route list:

default via 192.168.163.196 dev ens192 
192.168.160.0/22 dev ens192 proto kernel scope link src 192.168.160.34

client's iptables policy is accept on all chains and already flushed. server's iptables is accept on all the chains, has some docker + kvm rules and etc.

I proceed to add the following on the server:

iptables -t nat -A POSTROUTING -s 192.168.160.34 -j SNAT --to 192.168.163.196

I also added net.ipv4.ip_forward=1 and applied it to kernel parameters.

I still cant ping the destination from the client.

tcpdump:

 00:00:00.000000 IP (tos 0x0, ttl 64, id 3182, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.160.34 > 192.168.18.1: ICMP echo request, id 4442, seq 1, length 64
 00:00:00.000052 IP (tos 0x0, ttl 63, id 3182, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.163.196 > 192.168.18.1: ICMP echo request, id 4442, seq 1, length 64
 00:00:00.000680 IP (tos 0x0, ttl 125, id 32481, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.18.1 > 192.168.163.196: ICMP echo reply, id 4442, seq 1, length 64
 00:00:01.028150 IP (tos 0x0, ttl 64, id 3405, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.160.34 > 192.168.18.1: ICMP echo request, id 4442, seq 2, length 64
 00:00:00.000042 IP (tos 0x0, ttl 63, id 3405, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.163.196 > 192.168.18.1: ICMP echo request, id 4442, seq 2, length 64
 00:00:00.000489 IP (tos 0x0, ttl 125, id 32749, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.18.1 > 192.168.163.196: ICMP echo reply, id 4442, seq 2, length 64
 00:00:01.023522 IP (tos 0x0, ttl 64, id 3641, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.160.34 > 192.168.18.1: ICMP echo request, id 4442, seq 3, length 64

My icmp packets reach destination and get back to linux server, but fail to reach client. Any help would be appreciated.

Things that I have tried:

Test the nat rule on a clean installed box, with the same information, and it worked.(just changed the default gateway on client for this test to the new server)

Flushing all chains on linux server, add the rule again and try again (didnt help)

add following kernel parameters on linux server(didnt help):

net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.accept_source_route = 1

Farhad Farahi

Asked: 2016-09-15 05:03:06 +0800 CST

Make docker, registry cache container Use http proxy

I'm trying to setup a caching local registry for docker using official registry:latest Image. I want to make this container use organizations http proxy for internet access when trying to pull from docker hub.

any help would be appretiated.

P.S you can follow this guide to create a caching local registry.

iptables SNAT return traffic not reaching client

Make docker, registry cache container Use http proxy

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?