[Bug 34] New: Redirecting udp packets to closed port gives bad icmp error

bugzilla-daemon@netfilter.org bugzilla-daemon@netfilter.org
Sat, 01 Feb 2003 20:10:12 +0100


https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=34

           Summary: Redirecting udp packets to closed port gives bad icmp
                    error
           Product: netfilter/iptables
           Version: linux-2.4.x
          Platform: i386
        OS/Version: RedHat Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ip_tables (kernel)
        AssignedTo: laforge@netfilter.org
        ReportedBy: nfudd-netfilter-org@speed-test.net
                CC: netfilter-buglog@lists.netfilter.org


As there is no way to say 'reject' or 'mark' in the prerouting table of nat, I
use 'redirect' to send unwanted packets to a closed port.

In this example, I've redirected all udp packets except port 53 to port 1.
When a packet comes in for ntp (for example), I expect the icmp error message to
say 'port 111 unreachable', but instead it says 'port 1 unreachable'.  Also, the
icmp error is from the wrong ip address.

Tcpdump output:
11:00:04.833119 10.10.12.237.ntp > 11.11.11.11.ntp:  v4 client strat 0 poll 4
prec -6 (DF)
11:00:04.835416 11.11.11.11 > 10.10.12.237: icmp: 10.10.12.1 udp port tcpmux
unreachable [tos 0xc0]

(10.10.12.237 is the client machine, 10.10.12.1 is the iptables firewall,
11.11.11.11 is a time server)

I'm using Redhat 8.0, Linux kernel 2.0.40, patch-o-matic-20030107.tar.bz2, and
iptables-1.2.7a.tar.bz2.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.