icmp forward

icmp forward

[Hinko Kocevar]

Hi all,

I'm an absolute beginner on the netfilter stuff, so please bear with me here.

We have a device running linux 2.6.19 kernel with iptables installed. It acts
a a gateway for a another mobile device that connects to linux device via irda
port - ppp connection. I've managed to port forward telnet port to mobile device
with the help of this page http://kreiger.linuxgods.com/kiki/?Port+forwarding+with+netfilter.
Our customers want to be able to ping the mobile device behind the linux firewall
and IMHO it is not possible for ICMP packets to be forwarded since it is a protocol
by itself (not a TCP/UDP style service).


Is it possible to 'port forward' ICMP requests?

Thank you,
HK

-- 
Hinko Koèevar, OSS developer
ÈETRTA POT, d.o.o.
Planina 3, 4000 Kranj, SI EU
tel     ++386 (0) 4 280 66 03
e-mail  hinko.kocevar@cetrtapot.si
http    www.cetrtapot.si

Re: icmp forward

[Michele Petrazzo - Unipex srl]

Hinko Kocevar wrote:
> Hi all,
> 
> I'm an absolute beginner on the netfilter stuff, so please bear with me here.
> 
> We have a device running linux 2.6.19 kernel with iptables installed. It acts
> a a gateway for a another mobile device that connects to linux device via irda
> port - ppp connection. I've managed to port forward telnet port to mobile device
> with the help of this page http://kreiger.linuxgods.com/kiki/?Port+forwarding+with+netfilter.
> Our customers want to be able to ping the mobile device behind the linux firewall
> and IMHO it is not possible for ICMP packets to be forwarded since it is a protocol
> by itself (not a TCP/UDP style service).
> 
> 
> Is it possible to 'port forward' ICMP requests?
> 

Sure? Looking at firsts google reply, you can find

iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p icmp DNAT --to-destination 10.2.1.1

end so on...

Or I miss something?

> Thank you,
> HK
> 

Michele

Re: icmp forward

[Christoph Paasch]

Hi,

On Fri January 30 2009, Hinko Kocevar wrote:
> Hi all,
>
> Is it possible to 'port forward' ICMP requests?
You can match the protocol on ICMP packets with -p icmp and let the port-
specific stuff out of it, as ICMP doesn't uses portnumbers. But the problem will 
be, that your external machine won't be reachable for icmp packets. (as every 
icmp packets will get forwarded) It may be ennoying if MTU or ping packets 
doesn't reach anymore your machine. That depends on the usage of your gateway.

>
> Thank you,
> HK

--
Christoph Paasch

www.rollerbulls.be
--

Re: icmp forward

[Payam Chychi]

what michele said is correct...this would work since you are utilizing  
the prerouting / nat


Sent from my iPhone

On 30-Jan-09, at 12:33 AM, Michele Petrazzo - Unipex srl <michele.petrazzo@unipex.it 
 > wrote:

> Hinko Kocevar wrote:
>> Hi all,
>> I'm an absolute beginner on the netfilter stuff, so please bear  
>> with me here.
>> We have a device running linux 2.6.19 kernel with iptables  
>> installed. It acts
>> a a gateway for a another mobile device that connects to linux  
>> device via irda
>> port - ppp connection. I've managed to port forward telnet port to  
>> mobile device
>> with the help of this page http://kreiger.linuxgods.com/kiki/?Port+forwarding+with+netfilter 
>> .
>> Our customers want to be able to ping the mobile device behind the  
>> linux firewall
>> and IMHO it is not possible for ICMP packets to be forwarded since  
>> it is a protocol
>> by itself (not a TCP/UDP style service).
>> Is it possible to 'port forward' ICMP requests?
>
> Sure? Looking at firsts google reply, you can find
>
> iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
> iptables -t nat -A PREROUTING -i eth0 -p icmp DNAT --to-destination  
> 10.2.1.1
>
> end so on...
>
> Or I miss something?
>
>> Thank you,
>> HK
>
> Michele
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter"  
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: icmp forward

[Hinko Kocevar]

Christoph Paasch wrote:
> Hi,
> 
> On Fri January 30 2009, Hinko Kocevar wrote:
>> Hi all,
>>
>> Is it possible to 'port forward' ICMP requests?
> You can match the protocol on ICMP packets with -p icmp and let the port-
> specific stuff out of it, as ICMP doesn't uses portnumbers. But the problem will 
> be, that your external machine won't be reachable for icmp packets. (as every 
> icmp packets will get forwarded) It may be ennoying if MTU or ping packets 
> doesn't reach anymore your machine. That depends on the usage of your gateway.
> 

Yes, that is what I was afraid of. I think that gateway should still remain
available for ICMP echo-reply from external network.

Thank you!

-- 
Hinko Kočevar, OSS developer
ČETRTA POT, d.o.o.
Planina 3, 4000 Kranj, SI EU
tel     ++386 (0) 4 280 66 03
e-mail  hinko.kocevar@cetrtapot.si
http    www.cetrtapot.si

Re: icmp forward

[Hinko Kocevar]

Michele Petrazzo - Unipex srl wrote:
> Hinko Kocevar wrote:
>> Hi all,
>>
>> I'm an absolute beginner on the netfilter stuff, so please bear with
>> me here.
>>
>> We have a device running linux 2.6.19 kernel with iptables installed.
>> It acts
>> a a gateway for a another mobile device that connects to linux device
>> via irda
>> port - ppp connection. I've managed to port forward telnet port to
>> mobile device
>> with the help of this page
>> http://kreiger.linuxgods.com/kiki/?Port+forwarding+with+netfilter.
>> Our customers want to be able to ping the mobile device behind the
>> linux firewall
>> and IMHO it is not possible for ICMP packets to be forwarded since it
>> is a protocol
>> by itself (not a TCP/UDP style service).
>>
>>
>> Is it possible to 'port forward' ICMP requests?
>>
> 
> Sure? Looking at firsts google reply, you can find
> 
> iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
> iptables -t nat -A PREROUTING -i eth0 -p icmp DNAT --to-destination
> 10.2.1.1
> 

That seems to work goo, but now the gateway can not reply to ICMP packets...

> end so on...
> 
> Or I miss something?

I was expecting a solution where gateway would still see the ICMP requests, too.

I guess I'll use a telnet service on the mobile device in order to check if it is
alive and NAT the port on gateway to high port number eg. 2323 -> mobile device
23.

Best regards,
Hinko

-- 
Hinko Kočevar, OSS developer
ČETRTA POT, d.o.o.
Planina 3, 4000 Kranj, SI EU
tel     ++386 (0) 4 280 66 03
e-mail  hinko.kocevar@cetrtapot.si
http    www.cetrtapot.si

Re: icmp forward

[Mart Frauenlob]

Hinko Kocevar wrote:
> Our customers want to be able to ping the mobile device behind the linux firewall
> and IMHO it is not possible for ICMP packets to be forwarded since it is a protocol
> by itself (not a TCP/UDP style service).
>
>   

*clearing my throat*
TCP and UDP are protocols no services! many services use TCP/UDP protocol!
TCP and UDP are very different, UDP is a connectionless protocol, in 
opposite to TCP.

So ICMP is more like UDP, than like TCP.
> Is it possible to 'port forward' ICMP requests?
>   

First try, then cry ;-p

If u have an unused ip addr. on your gw, you could use that one to nat 
the icmp, so your gateway still is reachable with icmp.

greets

Mart

Re: icmp forward

[Pascal Hambourg]

Hello,

Hinko Kocevar a écrit :
> Christoph Paasch wrote:
>>
>> On Fri January 30 2009, Hinko Kocevar wrote:
>>>
>>> Is it possible to 'port forward' ICMP requests?
>>
>> You can match the protocol on ICMP packets with -p icmp and let the port-
>> specific stuff out of it, as ICMP doesn't uses portnumbers. But the problem will 
>> be, that your external machine won't be reachable for icmp packets. (as every 
>> icmp packets will get forwarded) It may be ennoying if MTU or ping packets 
>> doesn't reach anymore your machine. That depends on the usage of your gateway.
> 
> Yes, that is what I was afraid of. I think that gateway should still remain
> available for ICMP echo-reply from external network.

You must not be afraid of redirecting incoming ICMP replies or error 
messages originally destined to the gateway to the mobile device. These 
messages have the state ESTABLISHED or RELATED, while NAT rules see only 
packets creating a new "connection", which have the state NEW. Even 
though, you could have your DNAT rule match only the echo-request type 
with the --icmp-type option. However, if you redirect ICMP echo request 
to the device, indeed you cannot ping the gateway any more on the same 
external address. You need a separate address.

Re: icmp forward

[Hinko Kocevar]

Pascal Hambourg wrote:
> Hello,
> 
> Hinko Kocevar a écrit :
>> Christoph Paasch wrote:
>>>
>>> On Fri January 30 2009, Hinko Kocevar wrote:
>>>>
>>>> Is it possible to 'port forward' ICMP requests?
>>>
>>> You can match the protocol on ICMP packets with -p icmp and let the
>>> port-
>>> specific stuff out of it, as ICMP doesn't uses portnumbers. But the
>>> problem will be, that your external machine won't be reachable for
>>> icmp packets. (as every icmp packets will get forwarded) It may be
>>> ennoying if MTU or ping packets doesn't reach anymore your machine.
>>> That depends on the usage of your gateway.
>>
>> Yes, that is what I was afraid of. I think that gateway should still
>> remain
>> available for ICMP echo-reply from external network.
> 
> You must not be afraid of redirecting incoming ICMP replies or error
> messages originally destined to the gateway to the mobile device. These
> messages have the state ESTABLISHED or RELATED, while NAT rules see only
> packets creating a new "connection", which have the state NEW. Even
> though, you could have your DNAT rule match only the echo-request type
> with the --icmp-type option. However, if you redirect ICMP echo request
> to the device, indeed you cannot ping the gateway any more on the same
> external address. You need a separate address.

Not quite sure what it is all about, but is it doing something like:
# ifconfig eth0:1 172.31.64.121 netmask 255.255.254.0 up

And later..
# iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
# iptables -t nat -A PREROUTING -i eth0 -p icmp -j DNAT --to-destination 10.1.1.2


.. looking at the ping replies on both external gateway IPs the results seem
to indicate that ICMP on both IPs is reaching mobile device, instead of gateway
on interface eth0:1 (172.31.64.121):
# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:16:F9:12:33:33  
          inet addr:172.31.64.126  Bcast:172.31.65.255  Mask:255.255.254.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20407 errors:0 dropped:0 overruns:35 frame:0
          TX packets:5630 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1991148 (1.8 MiB)  TX bytes:554003 (541.0 KiB)
          Interrupt:17 DMA chan:1 

# ifconfig eth0:1
eth0:1    Link encap:Ethernet  HWaddr 00:16:F9:12:33:33  
          inet addr:172.31.64.121  Bcast:172.31.65.255  Mask:255.255.254.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:17 DMA chan:1 

pinging both IP addresses from another LAN host produces:

64 bytes from 172.31.64.121: icmp_seq=54 ttl=64 time=1.24 ms
64 bytes from 172.31.64.121: icmp_seq=55 ttl=64 time=1.38 ms
64 bytes from 172.31.64.121: icmp_seq=56 ttl=64 time=1.29 ms
64 bytes from 172.31.64.121: icmp_seq=57 ttl=64 time=1.27 ms
^^^ here iptables rule for ICMP kick in ^^^
64 bytes from 172.31.64.121: icmp_seq=58 ttl=127 time=51.8 ms
64 bytes from 172.31.64.121: icmp_seq=59 ttl=127 time=21.4 ms
64 bytes from 172.31.64.121: icmp_seq=60 ttl=127 time=50.5 ms
64 bytes from 172.31.64.121: icmp_seq=61 ttl=127 time=20.6 ms

64 bytes from 172.31.64.126: icmp_seq=5318 ttl=64 time=1.30 ms
64 bytes from 172.31.64.126: icmp_seq=5319 ttl=64 time=1.35 ms
64 bytes from 172.31.64.126: icmp_seq=5320 ttl=64 time=1.30 ms
64 bytes from 172.31.64.126: icmp_seq=5321 ttl=64 time=1.41 ms
64 bytes from 172.31.64.126: icmp_seq=5322 ttl=64 time=1.31 ms
^^^ here iptables rule for ICMP kick in ^^^
64 bytes from 172.31.64.126: icmp_seq=5323 ttl=127 time=37.2 ms
64 bytes from 172.31.64.126: icmp_seq=5324 ttl=127 time=63.4 ms
64 bytes from 172.31.64.126: icmp_seq=5325 ttl=127 time=28.7 ms
64 bytes from 172.31.64.126: icmp_seq=5326 ttl=127 time=61.4 ms
64 bytes from 172.31.64.126: icmp_seq=5327 ttl=127 time=35.0 ms

This is not what I expected - shouldn't the request destined for eth0:1 be
answered by the gateway device?

Thank you,
Hinko

-- 
Hinko Kočevar, OSS developer
ČETRTA POT, d.o.o.
Planina 3, 4000 Kranj, SI EU
tel     ++386 (0) 4 280 66 03
e-mail  hinko.kocevar@cetrtapot.si
http    www.cetrtapot.si

Re: icmp forward

[Hinko Kocevar]

Hinko Kocevar wrote:
> Pascal Hambourg wrote:
>> Hello,
>>
>> Hinko Kocevar a écrit :
>>> Christoph Paasch wrote:
>>>> On Fri January 30 2009, Hinko Kocevar wrote:
>>>>> Is it possible to 'port forward' ICMP requests?
>>>> You can match the protocol on ICMP packets with -p icmp and let the
>>>> port-
>>>> specific stuff out of it, as ICMP doesn't uses portnumbers. But the
>>>> problem will be, that your external machine won't be reachable for
>>>> icmp packets. (as every icmp packets will get forwarded) It may be
>>>> ennoying if MTU or ping packets doesn't reach anymore your machine.
>>>> That depends on the usage of your gateway.
>>> Yes, that is what I was afraid of. I think that gateway should still
>>> remain
>>> available for ICMP echo-reply from external network.
>> You must not be afraid of redirecting incoming ICMP replies or error
>> messages originally destined to the gateway to the mobile device. These
>> messages have the state ESTABLISHED or RELATED, while NAT rules see only
>> packets creating a new "connection", which have the state NEW. Even
>> though, you could have your DNAT rule match only the echo-request type
>> with the --icmp-type option. However, if you redirect ICMP echo request
>> to the device, indeed you cannot ping the gateway any more on the same
>> external address. You need a separate address.
> 
> Not quite sure what it is all about, but is it doing something like:
> # ifconfig eth0:1 172.31.64.121 netmask 255.255.254.0 up
> 
> And later..
> # iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
> # iptables -t nat -A PREROUTING -i eth0 -p icmp -j DNAT --to-destination 10.1.1.2
> 

My bad, should be:
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
iptables -t nat -A PREROUTING -d 172.31.64.121 -p icmp -j DNAT --to-destination 10.1.1.2

And then pinging both IPs from a local area network host produces desired result:

Gateway:
........
64 bytes from 172.31.64.121: icmp_seq=233 ttl=64 time=1.14 ms
64 bytes from 172.31.64.121: icmp_seq=234 ttl=64 time=1.03 ms
64 bytes from 172.31.64.121: icmp_seq=235 ttl=64 time=1.03 ms
64 bytes from 172.31.64.121: icmp_seq=236 ttl=64 time=1.37 ms
64 bytes from 172.31.64.121: icmp_seq=237 ttl=64 time=1.05 ms
64 bytes from 172.31.64.121: icmp_seq=238 ttl=64 time=1.50 ms
64 bytes from 172.31.64.121: icmp_seq=239 ttl=64 time=1.05 ms
64 bytes from 172.31.64.121: icmp_seq=240 ttl=64 time=1.04 ms

Mobile device:
..............
64 bytes from 172.31.64.126: icmp_seq=236 ttl=127 time=72.0 ms
64 bytes from 172.31.64.126: icmp_seq=237 ttl=127 time=31.0 ms
64 bytes from 172.31.64.126: icmp_seq=238 ttl=127 time=51.7 ms
64 bytes from 172.31.64.126: icmp_seq=239 ttl=127 time=63.8 ms
64 bytes from 172.31.64.126: icmp_seq=240 ttl=127 time=75.2 ms

Thanks to everyone who helped!

Best regards,
Hinko

-- 
Hinko Kočevar, OSS developer
ČETRTA POT, d.o.o.
Planina 3, 4000 Kranj, SI EU
tel     ++386 (0) 4 280 66 03
e-mail  hinko.kocevar@cetrtapot.si
http    www.cetrtapot.si

Re: icmp forward

[Hinko Kocevar]

Mart Frauenlob wrote:
> Hinko Kocevar wrote:
>> Our customers want to be able to ping the mobile device behind the
>> linux firewall
>> and IMHO it is not possible for ICMP packets to be forwarded since it
>> is a protocol
>> by itself (not a TCP/UDP style service).
>>
>>   
> 
> *clearing my throat*
> TCP and UDP are protocols no services! many services use TCP/UDP protocol!
> TCP and UDP are very different, UDP is a connectionless protocol, in
> opposite to TCP.
> 
> So ICMP is more like UDP, than like TCP.

Right.

>> Is it possible to 'port forward' ICMP requests?
>>   
> 
> First try, then cry ;-p
> 
> If u have an unused ip addr. on your gw, you could use that one to nat
> the icmp, so your gateway still is reachable with icmp.
> 


Hmm that seems like a viable solution - totally forgot about the network
interface aliasing 8).

Thanks!

-- 
Hinko Koèevar, OSS developer
ÈETRTA POT, d.o.o.
Planina 3, 4000 Kranj, SI EU
tel     ++386 (0) 4 280 66 03
e-mail  hinko.kocevar@cetrtapot.si
http    www.cetrtapot.si

Re: icmp forward

[Mart Frauenlob]

Hinko Kocevar wrote:
> Pascal Hambourg wrote:
>   
>> Hello,
>>
>> Hinko Kocevar a écrit :
>>     
>>> Christoph Paasch wrote:
>>>       
>>>> On Fri January 30 2009, Hinko Kocevar wrote:
>>>>         
>>>>> Is it possible to 'port forward' ICMP requests?
>>>>>           
>>>> You can match the protocol on ICMP packets with -p icmp and let the
>>>> port-
>>>> specific stuff out of it, as ICMP doesn't uses portnumbers. But the
>>>> problem will be, that your external machine won't be reachable for
>>>> icmp packets. (as every icmp packets will get forwarded) It may be
>>>> ennoying if MTU or ping packets doesn't reach anymore your machine.
>>>> That depends on the usage of your gateway.
>>>>         
>>> Yes, that is what I was afraid of. I think that gateway should still
>>> remain
>>> available for ICMP echo-reply from external network.
>>>       
>> You must not be afraid of redirecting incoming ICMP replies or error
>> messages originally destined to the gateway to the mobile device. These
>> messages have the state ESTABLISHED or RELATED, while NAT rules see only
>> packets creating a new "connection", which have the state NEW. Even
>> though, you could have your DNAT rule match only the echo-request type
>> with the --icmp-type option. However, if you redirect ICMP echo request
>> to the device, indeed you cannot ping the gateway any more on the same
>> external address. You need a separate address.
>>     
>
> Not quite sure what it is all about, but is it doing something like:
> # ifconfig eth0:1 172.31.64.121 netmask 255.255.254.0 up
>
> And later..
> # iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
> # iptables -t nat -A PREROUTING -i eth0 -p icmp -j DNAT --to-destination 10.1.1.2
>
>   
try:

iptables -t nat -A PREROUTING -i eth0 -d 172.31.64.121 -p icmp -j DNAT --to-destination 10.1.1.2


> This is not what I expected - shouldn't the request destined for eth0:1 be
> answered by the gateway device?
>   

Re: icmp forward

[Pascal Hambourg]

Hinko Kocevar a écrit :
> 
> My bad, should be:
> iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
> iptables -t nat -A PREROUTING -d 172.31.64.121 -p icmp -j DNAT --to-destination 10.1.1.2

Actually both rules should contain "--icmp-type echo-request", as you 
want to redirect only the ICMP echo request type (aka ping).

However, I'm wondering... It seems the gateway has private addresses on 
both sides, so why do you bother with NAT ? Why not just ping the actual 
device address 10.1.1.2 instead ?