From: Ray Leach <spoons@rchq.co.za>
To: Martijn Lievaart <m@rtij.nl>
Cc: Jordan Russell <jr-list-2007@quo.to>, netfilter@lists.netfilter.org
Subject: Re: ICMP packets associated with NAT connections sent out wrong interface?
Date: Wed, 27 Jun 2007 13:44:10 +0200 [thread overview]
Message-ID: <1182944650.6183.17.camel@ray-linux.internal> (raw)
In-Reply-To: <46819191.10808@rtij.nl>
On Wed, 2007-06-27 at 00:22 +0200, Martijn Lievaart wrote:
> Jordan Russell wrote:
> > Hi,
> >
> > My machine is functioning as a NAT box. It has two NICs:
> > - eth0, connected to the LAN, IP address 192.168.0.1
> > - eth1, connected to the Internet, IP address 123.23.23.23
> >
> > In the OUTPUT chain, I accept packets sent out eth0 with a destination
> > address of 192.168.0.x. Any packets sent out other interfaces with a
> > destination address of 192.168.0.x are logged and dropped:
> >
> > -A OUTPUT -d 192.168.0.0/24 -o eth0 -j ACCEPT
> > -A OUTPUT -d 192.168.0.0/24 -j LOG '[outdrop] '
> > -A OUTPUT -d 192.168.0.0/24 -j DROP
> >
> > In kernel 2.6.19 and earlier, the LOG & DROP rules never matched
> > anything, just as expected.
> >
> > With 2.6.20.12 and 2.6.21.5, however, they occasionally catch "ICMP
> > TYPE=3 CODE=3" packets going out eth1. Example:
> >
> > [outdrop] IN= OUT=eth1 SRC=123.23.23.23 DST=192.168.0.4 LEN=68 TOS=0x00
> > PREC=0xC0 TTL=64 ID=61136 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.0.4
> > DST=123.23.23.23 LEN=40 TOS=0x00 PREC=0x20 TTL=53 ID=16088 PROTO=TCP
> > SPT=1229 DPT=44851 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 ]
> >
>
> That's a port unreachable message, seemingly coming from the outside, in
> response to a RST coming from the inside. That in itself is not very
> usual, but it can happen.
>
> This packet going out the wrong interface seems like a pretty serious
> bug. I advice you to repost on the netfilter-devel list, there are many
> more people there that are really into this. However, this may be a bug
> in the network code, not the netfilter code. Or something else completely.
>
>
> HTH,
> M4
>
Doesn't seem like a bug ...
The port unreachable ICMP replay is coming from your machine in response
to a packet coming in eth1 trying to get to 192.168.0.x ...
You have just denied the echo replies by youe DROP rule.
--
--------------------------------------------------
Raymond Leach (spoons@rchq.co.za)
RCHQ Hobbies cc Web: http://www.rchq.co.za/
Tel: +27 82 575 6975 Fax: +27 86 652 2773
"No matter where you go, there you are ..."
--------------------------------------------------
next prev parent reply other threads:[~2007-06-27 11:44 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-16 16:43 ICMP packets associated with NAT connections sent out wrong interface? Jordan Russell
2007-06-26 22:22 ` Martijn Lievaart
2007-06-27 11:44 ` Ray Leach [this message]
2007-06-27 18:16 ` Jordan Russell
2007-06-28 6:56 ` Martijn Lievaart
2007-06-28 16:26 ` Jordan Russell
2007-06-28 19:10 ` Martijn Lievaart
2007-06-29 1:00 ` Yasuyuki KOZAKAI
[not found] ` <200706290100.l5T1028w016087@toshiba.co.jp>
2007-07-04 23:25 ` Jordan Russell
[not found] ` <468C15EE.9060806@quo.to>
2007-07-05 1:11 ` Yasuyuki KOZAKAI
2007-07-05 1:16 ` Yasuyuki KOZAKAI
2007-07-05 5:51 ` Jordan Russell
2007-07-05 5:51 ` Jordan Russell
2007-07-05 11:17 ` Yasuyuki KOZAKAI
2007-07-05 12:21 ` Patrick McHardy
2007-07-05 12:33 ` Krzysztof Oledzki
2007-07-05 17:05 ` Jordan Russell
[not found] ` <200707050111.l651Bu2w016010@toshiba.co.jp>
2007-07-06 0:14 ` Yasuyuki KOZAKAI
2007-07-06 0:50 ` Jordan Russell
2007-07-06 17:42 ` Jordan Russell
2007-07-06 17:42 ` Jordan Russell
2007-07-07 6:27 ` Yasuyuki KOZAKAI
2007-07-07 12:24 ` Yasuyuki KOZAKAI
2007-07-07 12:24 ` Yasuyuki KOZAKAI
2007-07-07 15:34 ` Patrick McHardy
2007-07-07 17:28 ` Yasuyuki KOZAKAI
2007-07-07 17:48 ` Yasuyuki KOZAKAI
2007-07-08 6:31 ` Yasuyuki KOZAKAI
[not found] ` <200707071748.l67HmfE2005051@toshiba.co.jp>
2007-07-09 13:34 ` Patrick McHardy
2007-07-13 14:25 ` Yasuyuki KOZAKAI
[not found] ` <200707131425.l6DEPBYv013659@toshiba.co.jp>
2007-07-13 14:50 ` Patrick McHardy
2007-07-13 15:49 ` Yasuyuki KOZAKAI
2007-07-07 21:04 ` Jordan Russell
2007-07-09 7:03 ` Yasuyuki KOZAKAI
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1182944650.6183.17.camel@ray-linux.internal \
--to=spoons@rchq.co.za \
--cc=jr-list-2007@quo.to \
--cc=m@rtij.nl \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.