How to check NAT live?
I don't know what you are doing wrong, but here's an example. Setup: Two network namespaces ns0
and ns1
with two veth
pairs, main namespace forwards:
ns0 <------- main -------> ns1
veth0b --- veth0a veth1a --- veth1b
10.0.0.1 10.0.0.254 10.0.1.254 10.0.1.1
Doing plain tcpdump
on veth0a
and veth1a
. Pinging ns0
from ns1
without NAT shows:
IP 10.0.1.1 > 10.0.0.1: ICMP echo request, id 20765, seq 1, length 64
IP 10.0.0.1 > 10.0.1.1: ICMP echo reply, id 20765, seq 1, length 64
on veth0a
, and on veth1a
:
IP 10.0.1.1 > 10.0.0.1: ICMP echo request, id 20765, seq 1, length 64
IP 10.0.0.1 > 10.0.1.1: ICMP echo reply, id 20765, seq 1, length 64
After enableing SNAT on veth0a
with
iptables -t nat -A POSTROUTING -o veth0a -s 10.0.1.1/32 -j SNAT --to 10.0.1.90
now on veth0a
there is
IP 10.0.1.90 > 10.0.0.1: ICMP echo request, id 20795, seq 1, length 64
IP 10.0.0.1 > 10.0.1.90: ICMP echo reply, id 20795, seq 1, length 64
while on veth1a
IP 10.0.1.1 > 10.0.0.1: ICMP echo request, id 20795, seq 1, length 64
IP 10.0.0.1 > 10.0.1.1: ICMP echo reply, id 20795, seq 1, length 64
So one can clearly see the SNAT is working.
As I said, you need to dump packets on both the outgoing and the incoming interface.
Related videos on Youtube
Adonist
Updated on September 18, 2022Comments
-
Adonist over 1 year
I'm doing some troubleshooting in our network and VPNs and I want to monitor the traffic and I want to see if the SNAT and DNAT is working fine. I want something live like tcpdump that I can see something like:
192.168.25.40 <----> 172.16.30.245 icmp echo-request 194.30.25.10 194.30.25.10 icmp echo-reply 172.26.30.245 <----> 192.168.25.40
Is it possible to do it with tcpdump, or iptraf or iftop ? Or is there any other tool I could use to see the NAT in real time ?
Thanks
-
dirkt almost 7 yearsYes, it's possible with
tcpdump
. Monitor both the incoming and the outgoing IF, and you should see the differents IPs. If there's a lot of other traffic at the same time which you can't stop, a better alternative iswireshark
, because it has a GUI and filters. -
Adonist almost 7 yearsI checked the interfaces but it shows only the ip i'm pinging and the IP of the NAT. It doesn't show the IP before the NAT. Do I need any specific parameter ? I've used -vvvv to see the most information but still not.
-
-
dirkt almost 7 yearsNo, you can't check on the same IF before and after NAT. What's the problem with checking both IFs? You'll be doing the pings manually, anyway. And if SNAT works for one IP, it will likely also work for the others.
-
dirkt almost 7 yearsAnd if you really need to identify pings, use
ping -p
with some pattern. But it's quite obvious what's going on if you have two xterms withtcpdump
open.