From mboxrd@z Thu Jan  1 00:00:00 1970
From: urgrue <urgrue@tumsan.fi>
Subject: peculiar netfilter behaviour
Date: Thu, 16 Jan 2003 11:55:13 +0200
Sender: linux-admin-owner@vger.kernel.org
Message-ID: <20030116095513.GA10056@fede2.tumsan.fi>
Mime-Version: 1.0
Content-Transfer-Encoding: 7BIT
Return-path: <linux-admin-owner@vger.kernel.org>
Content-Disposition: inline
List-Id: <linux-admin.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"; 
To: linux-admin@vger.kernel.org

here's what happens:
i trace from my box A to address B.
a router on the way NATs the destination into Z.
the next router (X) sends back a ttl exceeded message (ie from X to A, 
ttl exceeded), just as it should.
however, this ttl exceeded message is being natted! the router that NATs
is converting X into B??? why on earth is this? its definitely not my 
NAT rules.
i can only assume it has something do with statefulness. a bug or a 
feature?

in more detail:
my natting router:
Chain PREROUTING (policy ACCEPT)
DNAT       all  --  0.0.0.0/0            address B         to:address Z
Chain POSTROUTING (policy ACCEPT)
SNAT       all  --  address Z            0.0.0.0/0          to:address B

so trace shows:
traceroute to <address B> from <address A>, 30 hops max, 40 byte packets
  1  <the NAT router>  4 ms  4 ms  4 ms
  2  <address B>  4 ms  4 ms  4 ms
  3  * * *
  4 
in fact nr.2 is NOT from B, as B isnt even on. with tcpdump i can see 
that that mysterious number 2 packet is in fact
originally "from X to A" and after it passes my natting router it is 
converted into "from Z to A".

any help on how to get around this undesired behaviour is appreciated.

urgrue