bugzilla-daemon@netfilter.org
2003-Feb-01 19:10 UTC
[Bug 34] New: Redirecting udp packets to closed port gives bad icmp error
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=34 Summary: Redirecting udp packets to closed port gives bad icmp error Product: netfilter/iptables Version: linux-2.4.x Platform: i386 OS/Version: RedHat Linux Status: NEW Severity: normal Priority: P2 Component: ip_tables (kernel) AssignedTo: laforge@netfilter.org ReportedBy: nfudd-netfilter-org@speed-test.net CC: netfilter-buglog@lists.netfilter.org As there is no way to say 'reject' or 'mark' in the prerouting table of nat, I use 'redirect' to send unwanted packets to a closed port. In this example, I've redirected all udp packets except port 53 to port 1. When a packet comes in for ntp (for example), I expect the icmp error message to say 'port 111 unreachable', but instead it says 'port 1 unreachable'. Also, the icmp error is from the wrong ip address. Tcpdump output: 11:00:04.833119 10.10.12.237.ntp > 11.11.11.11.ntp: v4 client strat 0 poll 4 prec -6 (DF) 11:00:04.835416 11.11.11.11 > 10.10.12.237: icmp: 10.10.12.1 udp port tcpmux unreachable [tos 0xc0] (10.10.12.237 is the client machine, 10.10.12.1 is the iptables firewall, 11.11.11.11 is a time server) I'm using Redhat 8.0, Linux kernel 2.0.40, patch-o-matic-20030107.tar.bz2, and iptables-1.2.7a.tar.bz2. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.