Hello,

mabra a écrit :
>
> I am struggling with ipfilters to redirect broadcast from the internet
> into my LAN, which I need for Wake On LAN(WAN). I have just moved from
> NetBSD to Debian and have set it up to be a router, which does well. I
> am new to ipfilters, but I got all of my nat-based redirects of ports
> running, except this one:
>
> iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 8888 -j DNAT --to
> 192.168.26.255
>
> This is syntactically accepted by ipfilters, but there are no redirected
> packages in the LAN, which I track with tcpdump. The packages reach my
> public interface, but not more.

The incoming packet is DNATed into the broadcast address in the
PREROUTING chain, and then reaches the input routing stage. But in
accordance with RFC 2644 broadcast packets are not forwarded, so the
packet is dropped.

> In NetBSD, I had to set the kernel
> variable "net.inet.ip.directed-broadcast" to allow the redirected
> broadcast.

I am not aware of any such option in the Linux kernel.
For WoL, there are workarounds based on static ARP entries to avoid
using an IP broadcast.

> After long serches, I discovered
> "net.ipv4.ip_echo_ignore_broadcasts" for Debian from a posting. But if I
> try to set this variable, I get only "unknown key" [I use "sysctl -w
> ...] as an error message.

1) It is not ip_echo_ignore_broadcasts but icmp_echo_ignore_broadcasts.
2) It is not Debian specific, it is in the Linux kernel.
3) It has nothing to do with forwarding broadcast packets. It has to do
with accepting and replying to ICMP echo requests ("ping") sent to a
local broadcast address or not.