Fwd: Re: [help] private_networks

Rémi Denis-Courmont email hidden
Sat Mar 8 12:50:43 CET 2003


Le Mardi 4 Mars 2003 16:48, Anders Fugmann a écrit :
> Emil Varjasi wrote:
> > kernel: [FIAIF_INVALID]:IN= OUT=eth2 SRC=172.16.1.72 DST=172.16.8.1
> > LEN=66 TOS=0x00 PREC=0xC0 TTL=255 ID=28355 PROTO=ICMP TYPE=11
> > CODE=0 [SRC=172.16.8.1 DST=172.17.0.3 LEN=38 TOS=0x00 PREC=0x00
> > TTL=1 ID=38430 PROTO=UDP SPT=1482 DPT=33435 LEN=18 ]
> >
> > No SNAT.

As Anders says, this is a bug in Netfilter's connection tracking state
match rules. Namely, it considers locally routing generated ICMP
unreachable packets as invalid, which is quite wrong.

> > Possibly exception from the reserved_networks?
> > Please, what can i do?

I've added a hack to FIAIF rules in my init scripts. It's not a 'clean'
fix however (192.168.1.186 should be 172.16.1.72 on your setup, I
suppose).

--- /etc/rc.d/init.d/nethack ---
#!/bin/bash
# chkconfig: 345 09 91
# description: hacks the NetFilter firewall setup (iptables)

LOCK=/var/lock/subsys/nethack

function hack_start()
{
	iptables --table filter --insert LOG_INVALID --jump ACCEPT \
		--protocol icmp --out-interface eth0 --source 192.168.1.186
}


function hack_stop()
{
	iptables --table filter --delete LOG_INVALID 1
}


function main()
{
	case "$1" in
		start)
			if [ ! -f $LOCK ]; then
				hack_start
				touch $LOCK
			else
				echo "Already started"
				return 1
			fi
			;;

		reload | restart | force-reload)
			main stop
			main start
			;;

		stop)
			hack_stop
			rm -f /var/lock/subsys/nethack
			;;

		status)
			if [ -f $LOCK ]; then
				echo "Started"
			else
				echo "Not started"
			fi
			;;

		*)
			echo "Usage: $0 {start|stop|restart|reload|force-reload|status}"
			return 1
			;;
	esac
	return 0
}

echo "Additionnal rules for local network..."
main $1

--- EOF ---

> The INVALID packets has nothing to do with FIAIF, but a bug in the
> netfilter code.

Exactly.

Yet, it would be cool if FIAIF had an option to fix that bug:
something like a 'ROUTER_HACK' that accept ICMP unreachable messages in
the OUTPUT chain, for the current zone.

> Regards
> Anders Fugmann

Sincerely,

--
Rémi Denis-Courmont
<rdenis at simphalempin.com>
http://www.simphalempin.com/

-------------------------------------------------------

-- 
Rémi Denis-Courmont
<rdenis at simphalempin.com>
http://www.simphalempin.com/




More information about the fiaif mailing list