I have found another case which lead me to believe NetFilter had a smarter understanding of DNAT and TTLs.
Here is the traceroute : [root@gw /root]# hping2 -t 1 -S -T -p 25 -n 112.280.213.227 1->TTL 0 during transit from 61.5.6.2 2->TTL 0 during transit from 61.5.6.5 3->TTL 0 during transit from 61.5.6.50 4->TTL 0 during transit from 174.78.129.12 5->TTL 0 during transit from 155.14.19.156 6->TTL 0 during transit from 155.14.19.34 7->TTL 0 during transit from 112.280.0.14 8->TTL 0 during transit from 112.280.213.223 9->TTL 0 during transit from 112.280.213.227 44 bytes from 112.280.213.227: flags=SA seq=9 ttl=54 id=34577 win=32696 rtt=107.6 ms It seems the firewall is replying to the traceroute packet with the NATed IP address, when the firewall itself doesn't reply to TTL zero packets (when doing the traceroute on TCP 22). Then the real NATed server replies to the SYN packet (which also has a TTL zero) with a SA. My understanding of how this traceroute would be if there was no firewall : [root@gw /root]# hping2 -t 1 -S -T -p 25 -n 112.280.213.227 1->TTL 0 during transit from 61.5.6.2 2->TTL 0 during transit from 61.5.6.5 3->TTL 0 during transit from 61.5.6.50 4->TTL 0 during transit from 174.78.129.12 5->TTL 0 during transit from 155.14.19.156 6->TTL 0 during transit from 155.14.19.34 7->TTL 0 during transit from 112.280.0.14 8->TTL 0 during transit from 112.280.213.223 44 bytes from 112.280.213.227: flags=SA seq=9 ttl=55 id=34577 win=32696 rtt=107.6 ms To me, this is the way NetFilter should handle NAT and TTLs, so as to hide the fact that there is a firewall and that some NAT is being performed. However, I don't really understand why, in my previous post, there was no answer from the firewall with the NATed address (line 9). Maybe because the rules on the latter firewall forbid it to send ICMP ? G. Letellier
