Re: SNAT of ICMP fragmentation-nee

Re: SNAT of ICMP fragmentation-nee

[Antony Stone]

On Monday 10 June 2002 12:45 pm, jakub@angel.cz wrote:

> :) this is really not the problem, now I am logging all packets, no adress
>
> specification ;)
>
> -A POSTROUTING -p icmp -m icmp --icmp-type 3/4 -j LOG --log-prefix "icmp
> SNAT POST "

Hmmm.   Okay - this is beyond my understanding of netfilter - can anyone else 
suggest why icmp packets going through the machine would get logged and 
processed by PREROUTING and FORWARD but not by POSTROUTING ?


Antony.

SNAT of ICMP fragmentation-nee

[Hard__warE]

> iptables -I POSTROUTING  -t nat -p icmp --icmp-type \
> fragmentation-needed -j LOG --log-prefix "icmp SNAT POST "
>
> iptables -I PREROUTING -t mangle  -p icmp --icmp-type \
> fragmentation-needed -j LOG --log-prefix "icmp SNAT PRE "
>

do you need to log all interfaces / chains

or a particular adapter ????

ok have you tried using this instead

$IPTABLES -t nat -A POSTROUTING -p icmp --icmp-type \
fragmentation-needed -j LOG --log-prefix "icmp SNAT POST "

$IPTABLES -t nat -A PREROUTING -p icmp --icmp-type \
fragmentation-needed -j LOG --log-prefix "icmp SNAT PRE "

....

oh and this one is for

Antony Stone ... :D ... Gday ..

>Hmmm.   Okay - this is beyond my understanding of netfilter - can anyone
else
>suggest why icmp packets going through the machine would get logged and
>processed by PREROUTING and FORWARD but not by POSTROUTING ?

i have tested this with ICMP and it iz very true ...

It seems as if the IPtables Box handles the actuall ICMP traffic locally

So a box on the local lan can ping someone on the net and in your

POSTROUTING Stage the packets arnt logged ...

packets may flow through the actuall Theroy of Prerouting ---> Forward -->
Postrouting

and actually not go through the Postrouting stage ...

I found by using IP alias's and a few modifications to your IPTables script
you can acheive alot of

things that are thought to be not possible .... :D .. hehhe

Re: SNAT of ICMP fragmentation-nee

[Ramin Alidousti]

On Mon, Jun 10, 2002 at 01:18:12PM +0100, Antony Stone wrote:

> On Monday 10 June 2002 12:45 pm, jakub@angel.cz wrote:
> 
> > :) this is really not the problem, now I am logging all packets, no adress
> >
> > specification ;)
> >
> > -A POSTROUTING -p icmp -m icmp --icmp-type 3/4 -j LOG --log-prefix "icmp
> > SNAT POST "
> 
> Hmmm.   Okay - this is beyond my understanding of netfilter - can anyone else 
> suggest why icmp packets going through the machine would get logged and 
> processed by PREROUTING and FORWARD but not by POSTROUTING ?

Is it not because of the fact that the very first packet of a conn
would go through the whole nat rule set and as soon as a rule is
matched and a conn has been set up, the subsequent packets of that
conn would not go through the whole rule set but get natted and
de-natted by that entry? I thought I read this somewhere...

So, if you also had a DNAT for that conn in PREROUTING, after the
first initial packet (which sets up the dnat entry), no other packet
of that conn would scan through the PREROUTING rule set including
the LOG rule...

However, the filter table is always consulted for each and every
packet, that's why you see the LOG in the FORWARD chain...

Ramin

> Antony.

Re: SNAT of ICMP fragmentation-nee

[Antony Stone]

On Monday 10 June 2002 3:52 pm, Ramin Alidousti wrote:

> On Mon, Jun 10, 2002 at 01:18:12PM +0100, Antony Stone wrote:

> > Hmmm.   Okay - this is beyond my understanding of netfilter - can anyone
> > else suggest why icmp packets going through the machine would get logged
> > and processed by PREROUTING and FORWARD but not by POSTROUTING ?

> Is it not because of the fact that the very first packet of a conn
> would go through the whole nat rule set and as soon as a rule is
> matched and a conn has been set up, the subsequent packets of that
> conn would not go through the whole rule set but get natted and
> de-natted by that entry? I thought I read this somewhere...
>
> So, if you also had a DNAT for that conn in PREROUTING, after the
> first initial packet (which sets up the dnat entry), no other packet
> of that conn would scan through the PREROUTING rule set including
> the LOG rule...
>
> However, the filter table is always consulted for each and every
> packet, that's why you see the LOG in the FORWARD chain...

I see what you're saying here, Ramin - basically anything which is being 
'automatically' de-NATted because of an entry in the conntracking table 
doesn't go through the ruleset because (a) that's inefficient, and (b) it 
might do something which messes up the automatic de-NATting itself.

However, it seems like a bit of a 'gotcha' which should be better documented, 
if you can't LOG any packet you want to, at every stage as it makes its way 
through your machine...?

 

Antony.

Re: SNAT of ICMP fragmentation-nee

[Jack Bowling]

** Reply to message from Antony Stone <Antony@Soft-Solutions.co.uk> on Mon, 10 Jun 2002 13:18:12 +0100


> On Monday 10 June 2002 12:45 pm, jakub@angel.cz wrote:
> 
> > :) this is really not the problem, now I am logging all packets, no adress
> >
> > specification ;)
> >
> > -A POSTROUTING -p icmp -m icmp --icmp-type 3/4 -j LOG --log-prefix "icmp
> > SNAT POST "
> 
> Hmmm.   Okay - this is beyond my understanding of netfilter - can anyone else 
> suggest why icmp packets going through the machine would get logged and 
> processed by PREROUTING and FORWARD but not by POSTROUTING ?

Wouldn't hurt to add the interface(s).

jb

-- 
Jack Bowling
mailto: jbinpg@shaw.ca

Re: SNAT of ICMP fragmentation-nee

[Ramin Alidousti]

On Mon, Jun 10, 2002 at 09:06:41AM -0700, Jack Bowling wrote:

> ** Reply to message from Antony Stone <Antony@Soft-Solutions.co.uk> on Mon, 10 Jun 2002 13:18:12 +0100
> 
> 
> > On Monday 10 June 2002 12:45 pm, jakub@angel.cz wrote:
> > 
> > > :) this is really not the problem, now I am logging all packets, no adress
> > >
> > > specification ;)
> > >
> > > -A POSTROUTING -p icmp -m icmp --icmp-type 3/4 -j LOG --log-prefix "icmp
> > > SNAT POST "
> > 
> > Hmmm.   Okay - this is beyond my understanding of netfilter - can anyone else 
> > suggest why icmp packets going through the machine would get logged and 
> > processed by PREROUTING and FORWARD but not by POSTROUTING ?
> 
> Wouldn't hurt to add the interface(s).

Absolutely!! You omit the -i/-o switches only when you _really_
don't care about the direction of the packet flow.

Ramin

> jb
> 
> -- 
> Jack Bowling
> mailto: jbinpg@shaw.ca