“АВТОРАДИО”
КОМУ: netfilter@xxxxxxxxxxxxxxxxxxx
ОТ: Системный администратор Быков Виктор Андреевич
ТЕМА: ICMP nat
=================
Cedric Blancher blancher at cartel-securite.fr wrote on Tue Jan 3 17:11:01 CET 2006
<AFAIK>
There's two class of ICMP packets:
. ICMP requests/replies, such as ping
. ICMP errors
ICMP requests/replies works on a NEW/ESTABLISHED scheme, meaning the
request have NEW state and reply ESTABLISHED state.
ICMP errors, if valid (i.e. corresponding to an existing contrack
entry), have RELATED state.
Now for NAT table... NAT table only "sees" packets with state NEW. If
matched and accepted by filtering rules, an according conntrack entry is
created, and following packets are handled transparently by conntrack,
meaning both ESTABLISHED and RELATED packets.
</AFAIK>
Now, to partially answer your question, and maybe to refine your
observations:
. you won't see ICMP errors in NAT table, which means you won't
see ICMP packets generated by a tracerouting application
. you should see ICMP echo requests, but won't see ICMP echo
replies
================================
My question is: if I, for example, generate icmp packet with icmp-type 11
by packet generator, this packet is not in ESTABLISHED state, and not in conntrack list, and probably should go via NAT table? in
practical test, however, that kind of packet not go via NAT!
Дата/Время: 02.02.2006 14:57:00
Телефон: + 7 (495) 258-33-44
E-mail: vr@xxxxxxxxx
Веб сайт: http://www.avtoradio.ru
