Hi,
I am having some NAT/iptables issues. Please can you help me out -- this
relates to how error ICMP packets generated at the firewall itself get sent to
a wrong ip address because they avoid the outgoing NAT (postrouting) chain
since they are considered as "RELATED" to the existing "connection"
(ip_conntrack) created by the original ping packet, but still the conntrack is
not able to properly reverse NAT this generated error ICMP packet.
I am having great trouble figuring out what is happenning since I am not that
familiar with iptables.
Any help will be highly appreciated.
Here is the full story:
Here is the network:
------------- eth2 _____________________ eth0/1 -------------
| Network 1 | <=====> | Linux Routing+NAT | <======> | Network 2 |
------------- --------------------- -------------
127.x.x.x 128.0.x.x
The Linux machine in the middle is using the NAT PREROUTING and POSTROUTING
chains to convert addresses valid in one network to addresses valid in another
network. (for 6-7 ip addresses, there is a 1-to-1 mapping between those valid
in network 1 and those valid in network 2, which you can see from the NAT
tables pasted further in this mail)
Now if I send an ICMP packet from Network 2 to a host in Network 1, which is
from 128.0.1.2 to 128.0.0.1 (mapped to 127.0.0.51 present in Network 1)
Here is the NAT log (got from inserting Log elements at the beginning of each
chain)
Jun 23 19:53:32 mwam-4 kernel: nat PREROUTING:IN=eth0 OUT=
MAC=02:00:00:00:0f:00:02:00:00:00:01:10:08:00 SRC=128.0.1.2 DST=128.0.0.1
LEN=100 TOS=0x00 PREC=0x00 TTL=255 ID=20 PROTO=ICMP TYPE=8 CODE=0 ID=4 SEQ=0
Jun 23 19:53:32 mwam-4 kernel: filter FORWARD:IN=eth0 OUT=eth2 SRC=128.0.1.2
DST=127.0.0.51 LEN=100 TOS=0x00 PREC=0x00 TTL=254 ID=20 PROTO=ICMP TYPE=8
CODE=0 ID=4 SEQ=0 Jun 23 19:53:32 mwam-4 kernel: nat POSTROUTING:IN= OUT=eth2
SRC=128.0.1.2 DST=127.0.0.51 LEN=100 TOS=0x00 PREC=0x00 TTL=254 ID=20
PROTO=ICMP TYPE=8 CODE=0 ID=4 SEQ=0 Jun 23 19:53:32 mwam-4 kernel: filter
FORWARD:IN=eth2 OUT=eth0 SRC=127.0.0.51 DST=128.0.1.2 LEN=100 TOS=0x00
PREC=0x00 TTL=254 ID=20 PROTO=ICMP TYPE=0 CODE=0 ID=4 SEQ=0
This happens correctly.
But now, if I send an ICMP Packet from the same host 128.0.1.2 to a
"non-existent" host in Network 1 (128.0.0.2), then Linux iptables/route
software generates a "ICMP Host Not Found" packet, they avoid the outgoing NAT
(postrouting) chain since they are considered as "RELATED" to the existing
"connection" (ip_conntrack) created by the original ping packet, but still the
conntrack is not able to properly reverse NAT this generated error ICMP packet.
So the ICMP error packet is sent on the interface as destined to 127.0.0.42,
even though it should have been reverse-NATted to 128.0.1.2. Thus, incorrect
destination make it not reach the 128.0.1.2.
Jun 23 19:55:12 mwam-4 kernel: nat PREROUTING:IN=eth0 OUT=
MAC=02:00:00:00:0f:00:02:00:00:00:01:10:08:00 SRC=128.0.1.2 DST=128.0.0.2
LEN=100 TOS=0x00 PREC=0x00 TTL=255 ID=25 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=0
Jun 23 19:55:12 mwam-4 kernel: filter FORWARD:IN=eth0 OUT=eth2 SRC=128.0.1.2
DST=128.0.0.2 LEN=100 TOS=0x00 PREC=0x00 TTL=254 ID=25 PROTO=ICMP TYPE=8 CODE=0
ID=5 SEQ=0 Jun 23 19:55:12 mwam-4 kernel: nat POSTROUTING:IN= OUT=eth2
SRC=128.0.1.2 DST=128.0.0.2 LEN=100 TOS=0x00 PREC=0x00 TTL=254 ID=25 PROTO=ICMP
TYPE=8 CODE=0 ID=5 SEQ=0 Jun 23 19:55:15 mwam-4 kernel: filter OUTPUT:IN=
OUT=eth0 SRC=128.0.1.1 DST=127.0.0.42 LEN=128 TOS=0x00 PREC=0xC0 TTL=64
ID=53898 PROTO=ICMP TYPE=3 CODE=1 [SRC=127.0.0.42 DST=128.0.0.2 LEN=100
TOS=0x00 PREC=0x00 TTL=254 ID=25 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=0 ] **this
is the ICMP error message, which doesn?t get reverse NATted, and instead of
getting sent to 128.0.1.2, it gets sent to 127.0.0.42 --- it should have been
reverse NATted by ip_conntrack
Following are pasted more details about the situation, if that helps.
Any help or pointers will be greatly appreciated.
Thanks
Gaurang.
--------------------------------------------------------------------------------
########################################################################
# IP Table 'nat'
########################################################################
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
6 prefix `nat PREROUTING:'
DNAT all -- 0.0.0.0/0 127.0.0.46 to:128.0.1.6
DNAT all -- 0.0.0.0/0 127.0.0.47 to:128.0.1.7
DNAT all -- 0.0.0.0/0 127.0.0.42 to:128.0.1.2
DNAT all -- 0.0.0.0/0 127.0.0.43 to:128.0.1.3
DNAT all -- 0.0.0.0/0 127.0.0.44 to:128.0.2.4
DNAT all -- 0.0.0.0/0 127.0.0.45 to:128.0.2.5
DNAT all -- 0.0.0.0/0 128.0.0.1 to:127.0.0.51
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
6 prefix `nat POSTROUTING:'
SNAT all -- 128.0.1.6 0.0.0.0/0 to:127.0.0.46
SNAT all -- 128.0.1.7 0.0.0.0/0 to:127.0.0.47
SNAT all -- 128.0.1.2 0.0.0.0/0 to:127.0.0.42
SNAT all -- 128.0.1.3 0.0.0.0/0 to:127.0.0.43
SNAT all -- 128.0.2.4 0.0.0.0/0 to:127.0.0.44
SNAT all -- 128.0.2.5 0.0.0.0/0 to:127.0.0.45
SNAT all -- 127.0.0.51 0.0.0.0/0 to:128.0.0.1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
6 prefix `nat OUTPUT:'
########################################################################
# IP Table 'filter'
########################################################################
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
6 prefix `filter INPUT:'
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
6 prefix `filter FORWARD:'
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
6 prefix `filter OUTPUT:'
--------------------------------------------------------------------------------
user@host#route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
127.0.0.47 * 255.255.255.255 UH 0 0 0 eth0
127.0.0.46 * 255.255.255.255 UH 0 0 0 eth0
127.0.0.45 * 255.255.255.255 UH 0 0 0 eth1
127.0.0.44 * 255.255.255.255 UH 0 0 0 eth1
127.0.0.43 * 255.255.255.255 UH 0 0 0 eth0
127.0.0.42 * 255.255.255.255 UH 0 0 0 eth0
127.0.0.0 * 255.255.255.255 UH 0 0 0 lo
128.0.0.0 * 255.255.255.240 U 0 0 0 eth2
128.0.1.0 * 255.255.255.0 U 0 0 0 eth0
128.0.1.0 * 255.255.255.0 U 0 0 0 eth0
128.0.2.0 * 255.255.255.0 U 0 0 0 eth1
128.0.2.0 * 255.255.255.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 eth2
user@host#
--------------------------------------------------------------------------------
iptables -t nat -I PREROUTING -p icmp -j LOG --log-prefix="nat PREROUTING:"
--log-level="info"
iptables -t nat -I POSTROUTING -p icmp -j LOG --log-prefix="nat POSTROUTING:"
--log-level="info"
iptables -t nat -I OUTPUT -p icmp -j LOG --log-prefix="nat OUTPUT:"
--log-level="info"
iptables -t filter -I INPUT -p icmp -j LOG --log-prefix="filter INPUT:"
--log-level="info"
iptables -t filter -I FORWARD -p icmp -j LOG --log-prefix="filter FORWARD:"
--log-level="info"
iptables -t filter -I OUTPUT -p icmp -j LOG --log-prefix="filter OUTPUT:"
--log-level="info"
--------------------------------------------------------------------------------
>From host 128.0.1.2 in the Network 2:
pinging 128.0.1.1: (the router itself)
Jun 23 19:52:20 mwam-4 kernel: nat PREROUTING:IN=eth0 OUT=
MAC=02:00:00:00:0f:00:02:00:00:00:01:10:08:00 SRC=128.0.1.2 DST=128.0.1.1
LEN=100 TOS=0x00 PREC=0x00 TTL=255 ID=15 PROTO=ICMP TYPE=8 CODE=0 ID=3 SEQ=0
Jun 23 19:52:20 mwam-4 kernel: filter INPUT:IN=eth0 OUT=
MAC=02:00:00:00:0f:00:02:00:00:00:01:10:08:00 SRC=128.0.1.2 DST=128.0.1.1
LEN=100 TOS=0x00 PREC=0x00 TTL=255 ID=15 PROTO=ICMP TYPE=8 CODE=0 ID=3 SEQ=0
Jun 23 19:52:20 mwam-4 kernel: filter OUTPUT:IN= OUT=eth0 SRC=128.0.1.1
DST=128.0.1.2 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=23541 PROTO=ICMP TYPE=0
CODE=0 ID=3 SEQ=0
