bugzilla-daemon@netfilter.org
2003-Feb-26 18:09 UTC
[Bug 55] New: ICMP translation problem with local NAT
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=55
Summary: ICMP translation problem with local NAT
Product: netfilter/iptables
Version: linux-2.4.x
Platform: other
OS/Version: other
Status: NEW
Severity: normal
Priority: P2
Component: NAT
AssignedTo: laforge@netfilter.org
ReportedBy: laforge@netfilter.org
CC: bazsi@balabit.hu,netfilter-buglog@lists.netfilter.org
Hi,
I've encountered another ICMP translation problem in netfilter. This time it
occurs when a process initiates a connection and it is translated on the
same host.
How to reproduce:
Box A ---------------------------------- Box B
192.168.131.124
192.168.131.1
Routes back 10.0.0.0/24 using 192.168.131.124 as gateway
iptables -t nat -A POSTROUTING -p tcp -s 192.168.131.124 --sport 9999 \
-j SNAT --to-source 10.0.0.1
and
nc -s 192.168.131.124 -p 9999 192.168.131.1 80
The connection works as expected if Box B accepts connections on port 80,
but if I cause Box B to send an ICMP port unreachable back:
(boxb was using ipchains in my case therefore the ipchains command line)
boxb# ipchains -s 10.0.0.0/24 -d 0/0 80 -j REJECT
The source address within the ICMP port unreachable is not rewritten as the
following LOG output shows. (to trigger the LOG output I added another rule
to INPUT: iptables -A INPUT -p icmp -j LOG):
IN=eth0 OUT= MAC=00:50:56:bb:83:25:00:50:bf:0b:f6:2f:08:00 \
SRC=192.168.131.1 DST=192.168.131.124 LEN=88 TOS=0x00 \
PREC=0xC0 TTL=255 ID=26730 PROTO=ICMP TYPE=3 CODE=3 \
[SRC=10.0.0.1 DST=192.168.131.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53526 DF
PROTO=TCP SPT=9999 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 ]
^^^^^^^^
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Apparently Analagous Threads
Wisdom of the Ancients
