Generated ICMP Error packets getting sent to the incorrect destination

Jörg Harmuth harmuth at
Tue Aug 2 09:53:21 CEST 2005

Gaurang Khetan schrieb:
> Hi, 
> I am having some NAT/iptables issues. Please can you help me out -- this
> relates to how error ICMP packets generated at the firewall itself get sent to
> a wrong ip address because they avoid the outgoing NAT (postrouting) chain
> since they are considered as "RELATED" to the existing "connection"
> (ip_conntrack) created by the original ping packet, but still the conntrack is
> not able to properly reverse NAT this generated error ICMP packet.
> I am having great trouble figuring out what is happenning since I am not that
> familiar with iptables. 
> Any help will be highly appreciated.
> Here is the full story:
> Here is the network:
> -------------   eth2    _____________________   eth0/1  -------------
> | Network 1 | <=====>  | Linux Routing+NAT |   <======> | Network 2 |
> -------------           ---------------------           -------------
>  127.x.x.x                                               128.0.x.x

I didn't read the full posting, but I maked sure that you really mean
127.x.x.x. You can't use 127.x.x.x as a real network address, because
this address space is reserved for localhost and every IP implementation
reserves 127/8 for localhost. So I bet, that somewhere in the packets
journey the IP implementation of some host gets confused by this address
and that that's the reason for your troubles. At least one of the
reasons :) Briefly: Change 127.x.x.x to some valid address like 10/8 or
some other, described in RFC1918 and then try again.

Have a nice time,


More information about the netfilter mailing list