I am new to iptables and I want to understand how iptables nat is working. I have a linux machine with a lxc container. The machine network configuration is as follows: eth0 interface which connects the machine to the internet (it's IPv4 address is 10.9.63.173) and a veth-1 interface (192.168.2.1) for lxc container. On the lxc container there is a eth0 interface (192.168.2.2) connected to the veth-1.
On the linux machine I have added two iptables rules:
1) iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.9.63.173
2) iptables -t nat -A PREROUTING -d 10.9.63.173 -j DNAT --to-destination 192.168.2.2
If I do a ping 8.8.8.8 from the lxc container everything is working (the source IP gets translated to 10.9.63.173 when leaving the linux machine). But the second rule is never matched by the ping echo replies. I have watched the incoming packets on eth0 (10.9.63.173) using tcpdump and the output is as follows:
23:34:33.151565 IP google-public-dns-a.google.com > host.local: ICMP echo reply, id 536, seq 174, length 64
Therefore, packets with destination 10.9.63.173 arrive on eth0 interface.
I have three questions:
1) Why is the nat prerouting rule never matched?
2) How does iptables know how to modify replies such that to forward them to 192.168.2.2?
3) Can the SNAT target modify the source port (without explicitly telling to translate to a specific port(s))?
Thanks!