Iptables NETMAP issues

I have to put only a PREROUTING rule not a POSTROUTING one, because i must change destination IP from subnet to subnet before routing decision.

i yet had test the third exemple 3 days ago without success.

I will try to force the usage to postrouting :

iptables -t nat -A POSTROUTING -s -j DNETMAP --prefix
iptables -t nat -A PREROUTING -j DNETMAP

So with a route pushed to, i will try to send ping request to and see what happen.

Run a tcpdump as well and post it here to see what is going on.

with tcpdump, i see the request comming in the tun0 interface but there is no route on the router to route to the br-lan interface.

On the br-lan interface no trace of echo request....

What can i do ? i try to put some static route ? like dev tun0 scope link src ?

there is no existance for on the router.

In your case the 16.1 is source mapped to 15.1

I don't know what are you trying to achieve. I was under the impression that you knew what you wanted to do and you had trouble with the syntax of the command. Seems I was wrong as you shouldn't be asking such things.

I just try to use DNETMAP, but it seems to be not working on OpenWRT, so i use a DNAT rule that validate my needs.

I will just have to put a DNAT rule for each host i need to contact from the vpn users.

Chain PREROUTING (policy ACCEPT 295 packets, 78796 bytes)
num pkts bytes target prot opt in out source destination
1 5 284 DNETMAP all -- any any anywhere -j DNETMAP --prefix
2 3 164 DNAT all -- any any anywhere to:

DNETMAP entry is not working
when i add DNAT entry it works.

I think about to post a bug report here :

I tried it in a test device and it works fine:

iptables -t nat -I POSTROUTING -s -j DNETMAP --prefix
and the output from tcpdump -i any -vn icmp

11:44:15.453896 IP (tos 0x0, ttl 64, id 43031, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 13317, seq 10, length 64
11:44:15.454076 IP (tos 0x0, ttl 63, id 43031, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 13317, seq 10, length 64

Ingress packet has the original IP and the egress packet has the new
If you add the rules at the bottom of the POSTROUTING or PREROUTING chains (the -A option) they will never be hit, since the zone_lan_prerouting is higher and will be preferred.

Thank you for your message,
I did this test again and it works, but the source address should change to and not, I don't understand.

Also, I don't see how to simply use a POSTROUTING rule to meet my need.

I explain my case with an example:
Local Area Network A:
An OpenVPN server runs on the router with a lan address of

Remote network B:
I'm on a remote network whose LAN is also

From a Pc of this remote network, I connect via OpenVPN to the router of network A which runs the VPN Server.
My IP on the tun0 interface is the following:

I want to reach the host on network A which is complicated because the addressing of the local and remote network is the same.
So I need to NAT the destination address of my ping request ( -> ).

So I use the following rule:

iptables -t nat -A PREROUTING -d -j DNAT --to-destination

In this case if I send a ping to, the router will receive a ping request for the host: from before routing and then it will be able to forward it to the host and the host will be able to respond correctly too.

In order to have a universal solution, I thought I could replace DNAT with DNETMAP.

Check example 4.

Okay, now I understand the utility of the --static.

perhaps, i have to add --static and --persistent to my DNETMAP entry

i try it

1 Like

no more success...

The target can be used only in the nat table in POSTROUTING or OUTPUT chains for SNAT, and
in PREROUTING for DNAT. Only flows directed to bound addresses will be DNATed. The packet
continues chain traversal if there is no free postnat address to be assigned to the prenat
address. The default binding TTL is 10 minutes and can be changed using the default_ttl
module option. The default address hash size is 256 and can be changed using the hash_size
module option.

Do not create dynamic mappings using this rule. Use static mappings only. Note that
you need to create static mappings via the procfs interface for this rule for this
option to have any effect.

I try to put on terminal :
echo "+" > /proc/net/xt_DNETMAP/

-ash: can't create /proc/net/xt_DNETMAP/ nonexistent directory :frowning:

or ash: write error: Bad address if i put dnetmap entry before...

The folder is there alright if the module is loaded.
However even root doesn't have write rights in there, so there must be some special way to create a file.

root@RoadWarrior:/# ls -la /proc/net/xt_DNETMAP/
dr-xr-xr-x    2 root     root             0 Apr 15 16:13 .
dr-xr-xr-x    6 root     root             0 Apr 15 16:13 ..

via the procfs

i will make more research tomorrow

1 Like


I saw that document but i don't have the skill to use it.

I guess this is for programming the modules to create the entries in /proc

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.