From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marian Stagarescu <marian@ti.com>
Subject: Re: snat and ICMP question
Date: Tue, 8 Oct 2002 15:00:06 -0400
Sender: netfilter-devel-admin@lists.netfilter.org
Message-ID: <200210081500.06505.marian@ti.com>
References: <3DA30D48.3EA0E56E@netcelo.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Matthieu Marc <matthieu.marc@netcelo.com>
Return-path: <netfilter-devel-admin@lists.netfilter.org>
To: Ciaran Deignan <ciaran.deignan@netcelo.com>,
   netfilter-devel@lists.netfilter.org
In-Reply-To: <3DA30D48.3EA0E56E@netcelo.com>
Errors-To: netfilter-devel-admin@lists.netfilter.org
List-Help: <mailto:netfilter-devel-request@lists.netfilter.org?subject=help>
List-Post: <mailto:netfilter-devel@lists.netfilter.org>
List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=subscribe>
List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=unsubscribe>
List-Archive: <https://lists.netfilter.org/pipermail/netfilter-devel/>
List-Id: netfilter-devel.vger.kernel.org

> I'm using the following configuration
>
> iptables -t mangle -A PREROUTING --in-interface ipsec+ \
>                         -j MARK --set-mark 1
> iptables -t nat -A POSTROUTING -m mark --mark 1 \
>                                 -j MASQUERADE

i think that the icmp packet is not marked hence not masqueraded=20
(it is locally generated by the ip stack (above ipsec anyways) hence
does not follow rule 1 mangle above).

is this your config ?

     =20
                    SNAT
             ------------------->
ipsec-interface         public_interface-------WEB-SERVER
     mtu 1400             mtu 1500
                                       |               1500
                                       |         <-------------     =20
                                       |                      =20
        ICMP frag required     |
        (OUTPUT) ------------+

> However the IPsec tunnel had an MTU of 1400, slightly less
> than the ethernet packet. When a user requests a large
> web page (for example), the web server send big packets,
> and an ICMP error is generated by the NAT-ing node. However
> the ICMP packet contains the real destination address, not
> the address of the NAT device... The web server ignores the
> ICMP error, which is normal.
>
> I'm using iptables v1.2.7a with a 2.4.17 kernel. I haven't
> tried anding any additional patches.
>
> Has anybody previously encountered this sort of problem?
> How can I tell iptables to NAT inside ICMP packets that are
> generated locally but that concern connections coming
> from the tunnel? I suppose it would work if I just
> masquraded everything going through any interface,
> but that seems a bit drastic...
>
> Thanks for any pointers,
> Ciaran