Localhost ICMP and the mangle/nat tables
Fri, 1 Jun 2001 15:25:53 -0300
On Wed, May 30, 2001 at 02:56:16PM -0400, Michael Walter wrote:
> (passing traffic through the firewall, not to it). However, I started
> working on the ICMP section of the script, which does allow some specific
> ICMP into the firewall itself. I could not get anything to work at all,
> until I realized that an ICMP packet (lets say ping) originating from the
> firewall, traverses the NAT OUTPUT chain and the Mangle OUTPUT chain prior
> to being sent out. As the default policies on these tables were drop, the
of course they do. IF icmp packet are created by the local host, they
get sent by the local network stack, and traverse the same route as every
other locally-generated packet.
> icmp packets were being dropped. Is this behavior normal in netfilter?
not netfilter related.
> Perhaps, nat'ing from 127.0.0.1 to the ip of the outgoing interface? Or, is
> this a nuance with RedHat's/My implementation?
? why? where is your problem? the icmp packet's certainly don't have
127.0.0.1 as source address, do they?
Live long and prosper
- Harald Welte / firstname.lastname@example.org http://www.gnumonks.org
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)