[Bug 55] New: ICMP translation problem with local NAT

bugzilla-daemon@netfilter.org bugzilla-daemon@netfilter.org
Wed, 26 Feb 2003 19:09:34 +0100


https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=55

           Summary: ICMP translation problem with local NAT
           Product: netfilter/iptables
           Version: linux-2.4.x
          Platform: other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: NAT
        AssignedTo: laforge@netfilter.org
        ReportedBy: laforge@netfilter.org
                CC: bazsi@balabit.hu,netfilter-buglog@lists.netfilter.org


Hi,

I've encountered another ICMP translation problem in netfilter. This time it
occurs when a process initiates a connection and it is translated on the
same host.

How to reproduce:

Box A ---------------------------------- Box B
192.168.131.124
			 192.168.131.1
					 Routes back 10.0.0.0/24 using 192.168.131.124 as gateway

iptables -t nat -A POSTROUTING -p tcp -s 192.168.131.124 --sport 9999 \
	 -j SNAT --to-source 10.0.0.1

and

nc -s 192.168.131.124 -p 9999 192.168.131.1 80

The connection works as expected if Box B accepts connections on port 80,
but if I cause Box B to send an ICMP port unreachable back:

(boxb was using ipchains in my case therefore the ipchains command line)
boxb# ipchains -s 10.0.0.0/24 -d 0/0 80 -j REJECT

The source address within the ICMP port unreachable is not rewritten as the
following LOG output shows. (to trigger the LOG output I added another rule
to INPUT: iptables -A INPUT -p icmp -j LOG):

IN=eth0 OUT= MAC=00:50:56:bb:83:25:00:50:bf:0b:f6:2f:08:00 \
	SRC=192.168.131.1 DST=192.168.131.124 LEN=88 TOS=0x00 \
	PREC=0xC0 TTL=255 ID=26730 PROTO=ICMP TYPE=3 CODE=3 \
	[SRC=10.0.0.1 DST=192.168.131.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53526 DF
PROTO=TCP SPT=9999 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 ]
             ^^^^^^^^

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.