From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@vger.kernel.org
Subject: Re: [ICMP] Related ICMP packets are marked INVALID
Date: Thu, 31 Jan 2008 20:39:16 +0100 [thread overview]
Message-ID: <47A223E4.1090900@plouf.fr.eu.org> (raw)
In-Reply-To: <200801311413.31466.markus@lanai.no-ip.com>
Hello,
Markus Torstensson a écrit :
>
> I wonder why all incomming ICMP packets keep being classified as INVALID when
> they really are RELATED (at least according to me!).
>
> Here's the interesting part of my setup (generated by fwbuilder)
>
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth1 -p icmp -m icmp --icmp-type any -m state --state INVALID -j
> In_RULE_5
> -A INPUT -i eth1 -p icmp -m icmp --icmp-type any -m state --state RELATED -j
> In_RULE_6
The third rule will never be triggered because the first rule has
already accepted all packets in the RELATED state. No wonder why the
count is 0.
> Jan 31 13:47:15 lanai kernel: ICMP invalidIN=eth1 OUT=
> MAC=00:e0:18:5b:e9:bd:00:0f:90:3a:13:80:08:00 SRC=24.138.53.128
> DST=90.228.193.140 LEN=88 TOS=0x00 PREC=0x20 TTL=50 ID=33531 PROTO=ICMP
> TYPE=3 CODE=1 [SRC=90.228.193.140 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00
> TTL=49 ID=17900 DF PROTO=TCP SPT=47612 DPT=51413 WINDOW=5840 RES=0x00 SYN
> URGP=0 ]
You (90.228.193.140) tried to connect to 24.138.53.128 on port 51413,
which seems to be a router with a NAT redirection to private address
192.168.2.2. But host 192.168.2.2 seems to be down (no reply to ARP
request), so router 24.138.53.128 sends you back an ICMP "host
unreachable" error message containing the header of the packet which
triggered the error (with final destination 192.168.2.2) to help
tracking the error. However its NAT is broken and fails to translate the
final destination address 192.168.2.2 back to the original destination
address 24.138.53.128. Since your connection tracking has no track of
any connection to 192.168.2.2, it classifies the ICMP packet as INVALID.
Your conntrack is right, the other side is broken.
> I've been looking at this issue for a while, and everyone keeps telling me
> that I should append a stateless rule to let icmp 3 and 11 through, but why
> should I?
They are wrong, you should not.
prev parent reply other threads:[~2008-01-31 19:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-31 13:13 [ICMP] Related ICMP packets are marked INVALID Markus Torstensson
2008-01-31 19:39 ` Pascal Hambourg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47A223E4.1090900@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox