Ah I found a report like mine :) On Wed, Apr 03, 2002 at 03:13:01PM +1000, James Morris wrote: > I've just seen that a if a linux 2.4 router does DNAT for a port (for ex.) > the ICMP time exceeded packet will take the mangled tcp packet as a > citation and won't un-DNAT the ICMP citation, so that the real IP and port > behind the gateway are revealed.
ICMP payload should really be NATed back, not only because of obscure security reasons but for protocol reasons. Here are two more examples for it: ICMP Traceroute: STATE=INVALID SRC=2.3.4.254 DST=1.2.3.4 PROTO=ICMP TYPE=11 CODE=0 [SRC=1.2.3.4 DST=172.16.0.3 TTL=1 PROTO=ICMP TYPE=8 CODE=0] 2.3.4.254 DNATs 2.3.4.3 to 172.16.0.3 then it finds TTL=1 and sends back ICMP time exceeded for the already DNATed package, but doesn't NAT back the DST IP in the payload. So the sender finds the above: an INVALID ICMP 11 response. A bigger problem (taken from a production machine :)): STATE=INVALID SRC=4.5.6.7 DST=1.2.3.4 PROTO=ICMP TYPE=3 CODE=4 [SRC=1.2.3.4 DST=10.0.0.1 DF PROTO=TCP SPT=1234 DPT=34567] MTU=1443 This TCP session gets lost because of the missing-NAT-ICMP-payload bug. Both examples are taken with netfilter Machines on both sides (this is why the logs, even if taken on the passive side, are looking like netfilter logs :)) However, of course the bug isn't there, but on the active side. It seems, this still happens with 2.4.18. regards, Mario -- Mario 'BitKoenig' Holbe <[EMAIL PROTECTED]> http://www.tu-ilmenau.de/~holbe/ User sind wie ideale Gase - sie verteilen sich gleichmaessig ueber alle Platten
