Re: icmp type 11 not go via nat POSTROUTING table

---

• From: bykov.victor@xxxxxxxxx
• Date: 2 Feb 2006 00:01:58 -0800

---

>> Got strange thing: I have rule
>> iptables -t nat -A POSTROUTING -s x.y.z.t -j SNAT --to-source a.b.c.d
>> but localy generated

> Do you mean "locally generated" on a.b.c.d?

packets were generated on x.y.z.t

>> icmp packets type 11  ...

>Do you mean "ICMP type 11, Time exceeded message"?  ...

exactly right


>> ... not go via nat POSTROUTING table

>_All_ packets leaving an interface pass through the postrouting chain
>before exiting.  What do you mean here?  By what test did you determine
>this?

I also belived so, but ;)
I looked using tcpdump

>> while almost same packets with differrent type (8) get going and
>> altered according rule
>> Anybody know why?

>It's really not clear to me what you are observing or what you expect
>to observe.  "ICMP type 8, Echo request" are quite common, and if
>everthing is working as it "should", there is no reason for a "ICMP
>type 11, Time exceeded message" to be generated under normal
>circumstances.  Could you clarify?

so: I generated two test icmp packets
1) src x.y.z.t dst host.on.inet icmp-type 11 code 0
2) src x.y.z.t dst host.on.inet icmp-type 8
tcpdump on output interface showed
1) src x.y.z.t dst host.on.inet icmp-type 11 code 0
2) src a.b.c.d dst host.on.inet icmp-type 8

ICMP  type 11 in my case is intended to answer to traceroute showing
nexthop a.b.c.d, not x.y.z.t(which is private address so answering
packet then get lost when travelling via inet)

.

---

• Follow-Ups:
  • Re: icmp type 11 not go via nat POSTROUTING table
    • From: prg

• References:
  • icmp type 11 not go via nat POSTROUTING table
    • From: bykov . victor
  • Re: icmp type 11 not go via nat POSTROUTING table
    • From: prg

• Prev by Date: Re: What's This Log Entry Mean?
• Next by Date: Re: squid not always using cache
• Previous by thread: Re: icmp type 11 not go via nat POSTROUTING table
• Next by thread: Re: icmp type 11 not go via nat POSTROUTING table
• Index(es):
  • Date
  • Thread

---

Relevant Pages TCP/IP Applications FAQ ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ... (comp.unix.questions) TCP/IP Applications FAQ ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ... (comp.unix.questions) TCP/IP Applications FAQ ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ... (comp.unix.questions) TCP/IP Applications FAQ ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ... (comp.unix.questions) TCP/IP Applications FAQ ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ... (comp.unix.questions)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Newsgroups  > comp.os.linux.networking  > 2006-02