From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ciaran Deignan <ciaran.deignan@netcelo.com>
Subject: snat and ICMP question
Date: Tue, 08 Oct 2002 18:52:24 +0200
Sender: netfilter-devel-admin@lists.netfilter.org
Message-ID: <3DA30D48.3EA0E56E@netcelo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: Matthieu Marc <matthieu.marc@netcelo.com>
Return-path: <netfilter-devel-admin@lists.netfilter.org>
To: netfilter-devel@lists.netfilter.org
Errors-To: netfilter-devel-admin@lists.netfilter.org
List-Help: <mailto:netfilter-devel-request@lists.netfilter.org?subject=help>
List-Post: <mailto:netfilter-devel@lists.netfilter.org>
List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=subscribe>
List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=unsubscribe>
List-Archive: <https://lists.netfilter.org/pipermail/netfilter-devel/>
List-Id: netfilter-devel.vger.kernel.org



Hi All,

I asked this question on the normal netfilter mailing-list.
Either I outlined the problem badly, or I'm beyond help :)

I have a problem with ICMP (destination-unreachable /
fragmentation needed) packets not bieng NAT-ed correctly
with a specific SNAT configuration.

I have an IPsec tunnel (frees/wan), and I need to source-nat
everything that comes out of the tunnel (strange routing
problem).

I'm using the following configuration

iptables -t mangle -A PREROUTING --in-interface ipsec+ \
                        -j MARK --set-mark 1
iptables -t nat -A POSTROUTING -m mark --mark 1 \
                                -j MASQUERADE

However the IPsec tunnel had an MTU of 1400, slightly less 
than the ethernet packet. When a user requests a large
web page (for example), the web server send big packets,
and an ICMP error is generated by the NAT-ing node. However
the ICMP packet contains the real destination address, not
the address of the NAT device... The web server ignores the
ICMP error, which is normal.

I'm using iptables v1.2.7a with a 2.4.17 kernel. I haven't
tried anding any additional patches.

Has anybody previously encountered this sort of problem?
How can I tell iptables to NAT inside ICMP packets that are
generated locally but that concern connections coming
from the tunnel? I suppose it would work if I just
masquraded everything going through any interface,
but that seems a bit drastic...

Thanks for any pointers,
Ciaran

-- 
+---------------------------------------------------------+
Ciaran Deignan                              04 38 49 87 27

Netcelo SA - IPsec VPN Solutions    http://www.netcelo.com/
18-20 rue Henri Barbusse - BP 2501, 38035 Grenoble Cedex 2
+---------------------------------------------------------+