Re: ICMP packets associated with NAT connections sent out wrong interface?

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Ray Leach <spoons@rchq.co.za>
To: Martijn Lievaart <m@rtij.nl>
Cc: Jordan Russell <jr-list-2007@quo.to>, netfilter@lists.netfilter.org
Subject: Re: ICMP packets associated with NAT connections sent out wrong	interface?
Date: Wed, 27 Jun 2007 13:44:10 +0200	[thread overview]
Message-ID: <1182944650.6183.17.camel@ray-linux.internal> (raw)
In-Reply-To: <46819191.10808@rtij.nl>

On Wed, 2007-06-27 at 00:22 +0200, Martijn Lievaart wrote:
> Jordan Russell wrote:
> > Hi,
> >
> > My machine is functioning as a NAT box. It has two NICs:
> > - eth0, connected to the LAN, IP address 192.168.0.1
> > - eth1, connected to the Internet, IP address 123.23.23.23
> >
> > In the OUTPUT chain, I accept packets sent out eth0 with a destination
> > address of 192.168.0.x. Any packets sent out other interfaces with a
> > destination address of 192.168.0.x are logged and dropped:
> >
> > -A OUTPUT -d 192.168.0.0/24 -o eth0 -j ACCEPT
> > -A OUTPUT -d 192.168.0.0/24 -j LOG '[outdrop] '
> > -A OUTPUT -d 192.168.0.0/24 -j DROP
> >
> > In kernel 2.6.19 and earlier, the LOG & DROP rules never matched
> > anything, just as expected.
> >
> > With 2.6.20.12 and 2.6.21.5, however, they occasionally catch "ICMP
> > TYPE=3 CODE=3" packets going out eth1. Example:
> >
> > [outdrop] IN= OUT=eth1 SRC=123.23.23.23 DST=192.168.0.4 LEN=68 TOS=0x00
> > PREC=0xC0 TTL=64 ID=61136 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.0.4
> > DST=123.23.23.23 LEN=40 TOS=0x00 PREC=0x20 TTL=53 ID=16088 PROTO=TCP
> > SPT=1229 DPT=44851 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 ]
> >   
> 
> That's a port unreachable message, seemingly coming from the outside, in 
> response to a RST coming from the inside. That in itself is not very 
> usual, but it can happen.
> 
> This packet going out the wrong interface seems like a pretty serious 
> bug. I advice you to repost on the netfilter-devel list, there are many 
> more people there that are really into this. However, this may be a bug 
> in the network code, not the netfilter code. Or something else completely.
> 
> 
> HTH,
> M4
> 
Doesn't seem like a bug ...

The port unreachable ICMP replay is coming from your machine in response
to a packet coming in eth1 trying to get to 192.168.0.x ...
You have just denied the echo replies by youe DROP rule.

-- 
--------------------------------------------------
Raymond Leach (spoons@rchq.co.za)
RCHQ Hobbies cc       Web: http://www.rchq.co.za/
Tel: +27 82 575 6975  Fax: +27 86 652 2773
"No matter where you go, there you are ..."
--------------------------------------------------

next prev parent reply	other threads:[~2007-06-27 11:44 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-06-16 16:43 ICMP packets associated with NAT connections sent out wrong interface? Jordan Russell
2007-06-26 22:22 ` Martijn Lievaart
2007-06-27 11:44   ` Ray Leach [this message]
2007-06-27 18:16     ` Jordan Russell
2007-06-28  6:56     ` Martijn Lievaart
2007-06-28 16:26       ` Jordan Russell
2007-06-28 19:10         ` Martijn Lievaart
2007-06-29  1:00 ` Yasuyuki KOZAKAI
     [not found] ` <200706290100.l5T1028w016087@toshiba.co.jp>
2007-07-04 23:25   ` Jordan Russell
     [not found]   ` <468C15EE.9060806@quo.to>
2007-07-05  1:11     ` Yasuyuki KOZAKAI
2007-07-05  1:16       ` Yasuyuki KOZAKAI
2007-07-05  5:51       ` Jordan Russell
2007-07-05 11:17         ` Yasuyuki KOZAKAI
2007-07-05 12:21           ` Patrick McHardy
2007-07-05 12:33             ` Krzysztof Oledzki
2007-07-05 17:05             ` Jordan Russell
     [not found]             ` <200707050111.l651Bu2w016010@toshiba.co.jp>
2007-07-06  0:14               ` Yasuyuki KOZAKAI
2007-07-06  0:50                 ` Jordan Russell
2007-07-06 17:42         ` Jordan Russell
2007-07-07  6:27           ` Yasuyuki KOZAKAI
2007-07-07 12:24             ` Yasuyuki KOZAKAI
2007-07-07 15:34               ` Patrick McHardy
2007-07-07 17:28                 ` Yasuyuki KOZAKAI
2007-07-07 17:48                   ` Yasuyuki KOZAKAI
2007-07-08  6:31                     ` Yasuyuki KOZAKAI
     [not found]                   ` <200707071748.l67HmfE2005051@toshiba.co.jp>
2007-07-09 13:34                     ` Patrick McHardy
2007-07-13 14:25                       ` Yasuyuki KOZAKAI
     [not found]                       ` <200707131425.l6DEPBYv013659@toshiba.co.jp>
2007-07-13 14:50                         ` Patrick McHardy
2007-07-13 15:49                           ` Yasuyuki KOZAKAI
2007-07-07 21:04               ` Jordan Russell
2007-07-09  7:03                 ` Yasuyuki KOZAKAI

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1182944650.6183.17.camel@ray-linux.internal \
    --to=spoons@rchq.co.za \
    --cc=jr-list-2007@quo.to \
    --cc=m@rtij.nl \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox