The object "ANY ICMP" on NAT rules has to be changed on the Linux compiler - iptables-1.4.21 #18
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Hi.
Due changes on the sintax on new iptables the object "ANY ICMP" has to be changed when used on nat rules, to be acceped when inserting a new rule on iptables.
A rule of NAT like this:
When compiled will generate this script:
$IPTABLES -t nat -A POSTROUTING -o br+ -p icmp -m icmp -s 192.0.2.2 -j SNAT --to-source 192.168.1.2 $IPTABLES -t nat -A POSTROUTING -o eth+ -p icmp -m icmp -s 192.0.2.2 -j SNAT --to-source 192.168.1.2This declaration won't be accepted by the new iptables anymore, now it has to be declared as:
$IPTABLES -t nat -A POSTROUTING -o br+ -p icmp -m icmp --icmp-type any -s 192.0.2.2 -j SNAT --to-source 192.168.1.2 $IPTABLES -t nat -A POSTROUTING -o eth+ -p icmp -m icmp --icmp-type any -s 192.0.2.2 -j SNAT --to-source 192.168.1.2I managed to fix this issue parsing the generated firewall script through a sed command:
sed '/nat/s/\-p icmp \-m icmp/& \--icmp-type any/g' firewall.scriptThis is back compatible with older iptables versions ( tested with iptables-1.3.5 version )
The text was updated successfully, but these errors were encountered: