Re: Iptables question on forwarded port with a router

sbannecy <sylvain.berthier@xxxxxxx> writes:


I have got a question related to iptables.
I'm connecting from my pc (let'a call its ip adress ip_1) to a linksys
router (let's call its ip adress ip_router) who is forwarding a port
xxx to the port 22 to a pc (let's call its ip ip_2).
I can connect through ssh on port xxx to this destination pc but if I
do some operation like top every thing is blocked.

I think this is due to my firewall (on the destination pc) that is
filtering some packets:

[IPTABLES DROP]IN=eth0 OUT= SRC=ip_router DST=ip_2 LEN=576 TOS=0x08
PREC=0xC0 TTL=255 ID=10789 PROTO=ICMP TYPE=3 CODE=4 [SRC=ip_2 DST=ip_1
LEN=1500 TOS=0x08 PREC=0x00 TTL=63 ID=15581 DF PROTO=TCP SPT=22
DPT=44276 WINDOW=1436 RES=0x00 ACK URGP=0 ] MTU=1460

Who can explain this line?
I allow ssh traffic and ping. It seems to be ssh socket encapsulated
in ping??? I really don't understand this line. So, I'm not able to
allow it in my iptables rules.

The blocked packet is an ICMP type 3, code 4 packet, being sent from
the router to the destination pc. It is essentially an error message
saying to the destination pc that its destination (which is your pc)
is unreachable because the packet it sent was too big. The packet it
is referring to (in brackets) was from the destination pc's sshd. It
was length 1500, and had the DF (don't fragment) flag set. However,
the MTU (maximum transfer unit) is 1460. Since 1500 is greater than
1460 and the packet can't be fragmented, there is no way to transmit

You need to be able to receive ICMP type 3 messages. Your firewall
shouldn't be blocking them.

Scott Hemphill hemphill@xxxxxxxxxxxxxxxxxx
"This isn't flying. This is falling, with style." -- Buzz Lightyear

Relevant Pages

  • Re: Strange MTU Problem
    ... Does the router know how to forward the ICMP ... On the local side, a packet has real source address and destination, ...
  • Re: Question: Iptables --
    ... An IP destination address is invalid if it is among those defined as ... A router SHOULD NOT forward any packet that has an invalid IP source ... address or a source address on network 0. ...
  • Re: How do I read/interpret a (netstat) routing table ?
    ... I know this routing table is used to direct TCP/IP packets to their destination. ... Assume on local computer a TCP-IP packet is arriving with the destination ... NetMask --> Makes it easier for the Router (layer 3 device, ...
  • Re: Nmap questions concering my router
    ... Is it addressed to the router? ... Send a message to who ever sent the package ... > only knows to deliver the packet to the interface address. ... > packet ON THE WIRE are the hardware address of the destination, ...
    ... otherwise it's just a glorified packet filter with a set of rules. ... neither a NAT nor a router are referred to as packet filters. ... a NAT router for broadband internet does not do this, ... router to route traffic b/w two or more private networks and the internet. ...