Nat – how to correctly change the source ip of a ping packet

Remove the three rules you have above and try adding this:

$IPTABLES -t NAT -A POSTROUTING -s 192.x.y.a -j SNAT 192.x.y.b
$IPTABLES -A FORWARD -s 192.x.y.a -J ACCEPT

And enter the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

You should also have a rule similar to the following in your firewall:

$IPTABLES -t FILTER -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

That will take care of all established/related connections, instead of making a rule for each one.

To my knowledge, the address rewriting behaviour you're describing will happen so long as the outbound response packet is routed by the same router that routed / DNAT'ed the incoming request. If any other of the N+1 routers in the highly-available router pool are handling the outbound response packet, though, they're not going to "see" that connection in the Netfilter state database.

It sounds like you want a highly available Netfilter router that shares NAT state machine information. The ct_sync tool mentioned in that paper has been mostly abandoned, but the conntrackd tool from conntrack-tools has been developed to do some of the same things as ct_sync.

If you're planning on doing stateful packet filtering (or NAT, which is really just a superset of stateful packet filtering) then you're going to need a method to distribute the state database (or, alternatively, go with stateless filtering in the network and do stateful filtering on each host).