protocol xx unreachable
This is a discussion on protocol xx unreachable within the Linux Security forums, part of the System Security and Security Related category; Hi, I posted a more specific message earlier in comp.security.firewalls (Subject: protocol 50 unreachable), but troubleshooting the problem ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-02-2004
|
|||
|
|||
protocol xx unreachable
Hi,
I posted a more specific message earlier in comp.security.firewalls (Subject: protocol 50 unreachable), but troubleshooting the problem further seems to indicate a more general problem. Basically, I have a Linux box (2.4.18-24 kernel) with two interfaces set up as a router for a private internal network. I use iptables to NAT traffic from the inside and to (successfully!) forward specific TCP traffic (determined by port numbers) from the external to a host on the internal interface. However, I am not able to forward any packages coming in through a specific internet protocol (e.g. 47, 50 or 51). In each case, a tcpdump on the external interface shows a "protocol xx unreachable" ICMP response. Similarily, I am not able to get packages of a specific protocol coming from the inside to go to the external interface. Again, normal TCP traffic works just fine. This used to work before the system rebooted after a power loss... I am lost and any help would be greatly appreciated!! best, h. 
|
|
12-02-2004
|
|||
|
|||
|
Re: protocol xx unreachable
On 2004-12-02, Helge Weissig <helgew@grajagan.org> wrote:
> > I posted a more specific message earlier in comp.security.firewalls > (Subject: protocol 50 unreachable), but troubleshooting the problem > further seems to indicate a more general problem. Basically, I have a > Linux box (2.4.18-24 kernel) with two interfaces set up as a router > for a private internal network. I use iptables to NAT traffic from the > inside and to (successfully!) forward specific TCP traffic (determined > by port numbers) from the external to a host on the internal > interface. However, I am not able to forward any packages coming in > through a specific internet protocol (e.g. 47, 50 or 51). In each > case, a tcpdump on the external interface shows a "protocol xx > unreachable" ICMP response. Similarily, I am not able to get packages > of a specific protocol coming from the inside to go to the external > interface. Again, normal TCP traffic works just fine. This used to > work before the system rebooted after a power loss... I am lost and > any help would be greatly appreciated!! > You cannot NAT (port based) protocol's 47 (gre), 50 (esp) or 51 (ah), you can only NAT protocols 6 (tcp) and 17 (udp) (plus probably 'UDP Light') traffic. The routers in between cannot decode/mangle the packet without the endpoints complaining bitterly about man-in-the-middle attacks, bad checksums, etc etc. For IPSec you should look at NAT-T (NAT Tranversal) which more or less wraps the whole IPSec packet in a UDP one. This means the packet is NAT 'safe'. The ICMP packets are sent by the source (your router?) as here is some firewall rule that says REJECT anything that is not 'tcp' or 'udp', probably. Alternatively it might be only able to traverse the router via NAT which is impossible anyway, hence the message. Hopefully this will help you. It looks like the ordering of your firewall rules is not the same as before, of course its hard to tell. Insert counting packets throughout your chains and see how far the packet does get, I bet it gets dropped on the 'nat' table. You probably had before those protocols hardcoded to be forwarded to a fixed IP inside, but then you would have issues with 'ah' packets.... :-/ Good luck Alex
|
|
12-03-2004
|
|||
|
|||
|
Re: protocol xx unreachable
Alexander Clouter <alex@digriz.junk-this.org.uk> wrote in message news:<10qv1cjcmg2ii3a@corp.supernews.com>...
> You cannot NAT (port based) protocol's 47 (gre), 50 (esp) or 51 (ah), you can > only NAT protocols 6 (tcp) and 17 (udp) (plus probably 'UDP Light') traffic. > The routers in between cannot decode/mangle the packet without the endpoints > complaining bitterly about man-in-the-middle attacks, bad checksums, etc etc. > > For IPSec you should look at NAT-T (NAT Tranversal) which more or less wraps > the whole IPSec packet in a UDP one. This means the packet is NAT 'safe'. > > The ICMP packets are sent by the source (your router?) as here is some > firewall rule that says REJECT anything that is not 'tcp' or 'udp', probably. > Alternatively it might be only able to traverse the router via NAT which is > impossible anyway, hence the message. > > Hopefully this will help you. It looks like the ordering of your firewall > rules is not the same as before, of course its hard to tell. Insert counting > packets throughout your chains and see how far the packet does get, I bet it > gets dropped on the 'nat' table. You probably had before those protocols > hardcoded to be forwarded to a fixed IP inside, but then you would have > issues with 'ah' packets.... :-/ > > Good luck > > Alex How can I reinstate the "hardcoded" forwarding to the fixed IP? It's really all I need and I am using esp only, so I should be fine. What I still don't understand though is that packets from the inside get stuck on the internal interface and never make it to the external one (this is for example doing a ping of a VPN host after my VPN software claims it has established the IPsec tunnel). h.
|
|
12-04-2004
|
|||
|
|||
|
Re: protocol xx unreachable
helgew@grajagan.org (Helge Weissig) wrote
news:a1a4b233.0412021234.7a32c8bc@posting.google.c om: > interface. However, I am not able to forward any packages coming in > through a specific internet protocol (e.g. 47, 50 or 51). In each > case, a tcpdump on the external interface shows a "protocol xx > unreachable" ICMP response. Similarily, I am not able to get packages > of a specific protocol coming from the inside to go to the external > interface. Again, normal TCP traffic works just fine. This used to > work before the system rebooted after a power loss... I am lost and > any help would be greatly appreciated!! Please, ifconfig -a iptables -L -vn iptables -t nat -L -vn cat /proc/sys/net/ipv4/ip_forward lsmod Regards
|
|
12-05-2004
|
|||
|
|||
|
Re: protocol xx unreachable
Helge Weissig wrote:
> Hi, > > I posted a more specific message earlier in comp.security.firewalls > (Subject: protocol 50 unreachable), but troubleshooting the problem > further seems to indicate a more general problem. Basically, I have a > Linux box (2.4.18-24 kernel) with two interfaces set up as a router > for a private internal network. I use iptables to NAT traffic from the > inside and to (successfully!) forward specific TCP traffic (determined > by port numbers) from the external to a host on the internal > interface. However, I am not able to forward any packages coming in > through a specific internet protocol (e.g. 47, 50 or 51). In each > case, a tcpdump on the exter > nal interface shows a "protocol xx > unreachable" ICMP response. Similarily, I am not able to get packages > of a specific protocol coming from the inside to go to the external > interface. Again, normal TCP traffic works just fine. This used to > work before the system rebooted after a power loss... I am lost and > any help would be greatly appreciated!! > > best, > h. These are for VPN Tunneling and encapsulation. They are: gre 47 GRE # Generic Routing Encapsulation esp 50 ESP # encapsulating security payload ah 51 AH # authentication header -- Michael
|
Linear Mode
