On Thu, Mar 21, 2002 at 08:26:34PM +0100, Jan Rafaj wrote: > > Hello, > > It looks like I've apparently found a bug in SNAT kernel code. > Environment: Linux 2.4.18-pre9, glibc 2.2.4, iptables 1.2.5 . > > Please consider this example: > > iptables -t nat -I POSTROUTING -o eth0 -p icmp \ > --icmp-type time-exceeded -j SNAT --to <IP> > > > The eth0 is an interface of a router, connected to the outter > network; the IP is an arbitrary IP. > > The above rule should hide the real IP-addresses of routers > inside the inner network by translating them to an arbitrary > <IP> (since they reply with icmp time-exceeded to udp/ttl0 requests > from traceroute, run by a third party in the outter network). > > What I see after applying the rule above is that it apparently > does not match, so the SNAT target is not jumped on for the out-comming > icmp time-exceeded packets.
This is not a bug. ICMP time exceeded messages are considered RELATED to already established connections - like all ICMP error codes. The nat tables are only traversed for NEW packets - and since an ICMP error message is not NEW but RELATED, your rule is never hit. > Jan Rafaj > VA Brno, network administration > mail: [EMAIL PROTECTED] > > PS: Contrary, to the case noted above, the following works > just nicely (but it is not a nice solution from my point of view): > > iptables -I FORWARD -o eth0 -p icmp --icmp-type time-exceeded -j DROP Yes, since the FORWARD table is traversed for all packets, independent of their state. -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)