Linux Router Configuration: Solving ICMP Ping Reply Routing Issues


2 views

When examining the packet flow using tcpdump, we observe an interesting anomaly:

# On Ubuntu client (10.1.1.12)
ping -I eth1 my.remote-server.com
# Packets visible on router's eth1 (10.1.1.1) and eth2 (192.168.1.10)
# Server receives packets from Y.Y.Y.Y (public IP) and replies
# Replies reach router but never the Ubuntu client

The current Debian router setup shows several critical elements:

# Interface configuration
eth1: 10.1.1.1/24 (internal)
eth2: 192.168.1.10/24 (external)

# Routing table
Destination     Gateway         Genmask         Flags Iface
10.1.1.0        0.0.0.0        255.255.255.0   U     eth1
192.168.1.0     0.0.0.0        255.255.255.0   U     eth2
0.0.0.0         192.168.1.1    0.0.0.0         UG    eth2

The problematic NAT rules appear in the POSTROUTING chain:

# Current problematic NAT configuration
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 ! -d 10.1.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING ! -s 10.1.1.0/24 -d 10.1.1.0/24 -j MASQUERADE

Here's the proper configuration to enable bidirectional routing:

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Proper NAT configuration (replace existing rules)
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

# Allow forwarding between interfaces
iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

After applying these changes, verify connectivity:

# On Ubuntu client
ping -c 4 my.remote-server.com

# On router, check NAT translations
conntrack -L

# Check packet flow
tcpdump -i eth1 -n icmp
tcpdump -i eth2 -n icmp

If issues persist, consider these checks:

# Verify reverse path filtering
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.eth1.rp_filter=1
sysctl -w net.ipv4.conf.eth2.rp_filter=1

# Check for asymmetric routing
ip route get X.X.X.X from 10.1.1.12

The captured tcpdump outputs reveal a fascinating pattern:

# From Ubuntu client (10.1.1.12)
ping -I eth1 my.remote-server.com
PING my.remote-server.com (X.X.X.X) from 10.1.1.12 eth1: 56(84) bytes of data.
^C
--- my.remote-server.com ping statistics ---
13 packets transmitted, 0 received, 100% packet loss

The router successfully sees bidirectional traffic:

# Debian router's eth1 interface
IP X.X.X.X > 10.1.1.12: ICMP echo reply
IP 10.1.1.12 > X.X.X.X: ICMP echo request

The current MASQUERADE rules appear problematic:

# Current NAT rules
Chain POSTROUTING (policy ACCEPT)
MASQUERADE  all  --  10.1.1.0/24         !10.1.1.0/24
MASQUERADE  all  -- !10.1.1.0/24          10.1.1.0/24

Replace the current NAT rules with:

# Correct NAT configuration
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
iptables -A FORWARD -i eth2 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT

After applying the changes, verify with:

# Check packet flow
tcpdump -i eth1 -n icmp and host 10.1.1.12
tcpdump -i eth2 -n icmp and host X.X.X.X

For complex setups, consider adding policy routes:

# Create custom routing table
echo "200 custom" >> /etc/iproute2/rt_tables
ip route add default via 192.168.1.1 dev eth2 table custom
ip rule add from 10.1.1.0/24 table custom

Ensure proper forwarding behavior:

# Enable IPv4 forwarding
sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
  1. Correct NAT rules with proper interface specification
  2. Proper forwarding rules in both directions
  3. Kernel IP forwarding enabled
  4. Default route configured correctly