It is behind my ISP cable modem, I had to get it setup in bridging mode after the last time they upgraded it. My router is showing all the tunnel traffic (via tcpdump) so I'm fairly certain the modem isn't the issue.
Ok. I heard before from other members of this group that they had a similar setup, yet I was never able to ping them unless they first pinged me.
Central to my confusion at the moment is the rule in the nat PREROUTING isn't counting packets.
Remember that iptables NAT processing in Linux is stateful. It only sees "new" traffic for a connection. Once a connection is in the NAT table, the traffic goes "around" those rules much like Established/Related traffic in the filter tables, but without an explicit visible rule for that purpose.
So, when you ping outward over a tunnel, you will not see those rules matching yet the traffic is forwarded as reply to your outgoing pings. Only when you ping from somewhere else, those rules are going to be of influence.
But of course they only see traffic when it actually arrives on your router.
Rob
Iptables is be able to run in a stateless NAT mode if you disable the contrack module:
http://jonatan.nilsson.is/running-a-semi-stateless-linux-router-for-private-...
It might be worth noting that iproute2 can provide a stateless NAT mode w/o IPTABLES which might be perfect for forwarding the IPIP traffic
http://linux-ip.net/html/nat-stateless.html
--David KI6ZHD
-
David Ranch -
Rob Janssen