Re: Interesting fw log: "ICMP type 3 not embeddable"

From: Ian Jones (roux@attbi.com)
Date: 06/15/02


From: Ian Jones <roux@attbi.com>
Date: Sat, 15 Jun 2002 02:03:15 GMT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Heiming <michael+USENET@heiming.de> writes:

> Those entries showing up in my logs:
>
> Jun 15 00:38:16 host kernel: invalid IN=ppp0 OUT= MAC=
> SRC=217.89.16.115 DST=My.external.IP
> LEN=56 TOS=0x00 PREC=0x00 TTL=56 ID=30304 PROTO=ICMP TYPE=3 CODE=3
> [SRC=My.external.IP DST=172.20.10.1
> LEN=62 TOS=0x00 PREC=0xC0 TTL=249 ID=0 DF PROTO=ICMP TYPE=3 CODE=3 ]
> Jun 15 00:38:16 host kernel: ipt_unclean: (embedded packet) ICMP
> type 3 not embeddable
>
> ICMP type 3 means host not reachable and the message is from
> /usr/src/linux/net/ipv4/netfilter/ipt_unclean.c
>
> Probably triggered by:
>
> [..]
> $IPTABLES -A INPUT -m unclean -i ! $DEV_LOOP -j invalid
> $IPTABLES -A invalid -m limit -j LOG --log-prefix "invalid "
> $IPTABLES -A invalid -j REJECT -j LOG --log-prefix "INVALID "
>
> However, was this really just a somehow malformed packet or is
> there more about it?

I could be off base here, but....

I suspect that you have an attempt to break RFC's in your ruleset. Do
you use any "-j REJECT --reject-with..." rules in response to icmp
errors?

A quick glance through linux/net/ipv4/netfilter/ipt_unclean.c shows
the source of your log message:

,----
| } else {
| /* CHECK: Can't embed ICMP unless known non-error. */
| if (icmph->type >= sizeof(info)/sizeof(struct icmp_info)
| || info[icmph->type].err != ICMP_NOT_ERROR) {
| limpk("ICMP type %u not embeddable\n",
| icmph->type);
| return 0;
| }
`----

As you know an icmp error message must include at least 28 bytes of
the datagram which caused the error to be sent. ICMP errors should
never be sent in response to an ICMP error, but you appear to be
trying to do just that.

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE9CpuKwBVKl/Nci0oRAtZBAKCtKMtvp6bniOiU3FsFsZo+X+U3RwCeITvQ
xtazC+ERG3+D9tg6hZcVZg4=
=9Iai
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: Interesting fw log: "ICMP type 3 not embeddable"
    ... > ICMP type 3 means host not reachable and the message is from ... never be sent in response to an ICMP error, ...
    (comp.os.linux.security)
  • Re: Interesting fw log: "ICMP type 3 not embeddable"
    ... >>> packet) ICMP type 3 not embeddable ... was this really just a somehow malformed packet or is ... If you funnel an ICMP error into this ...
    (comp.os.linux.security)
  • Re: Interesting fw log: "ICMP type 3 not embeddable"
    ... >>> packet) ICMP type 3 not embeddable ... was this really just a somehow malformed packet or is ... If you funnel an ICMP error into this ...
    (comp.os.linux.security)
  • Re: ICMP(2048) pings?
    ... >look up everything that hits your firewall like this. ... >ICMP doesn't have ports like TCP and UDP do. ... >part of the packet that generated the message. ... >Note that it is believed that ICMP error codes cannot be ...
    (microsoft.public.security)
  • Re: Yet another thread on the legality of port scanning
    ... Which portthe packets are sent to is ... If I do a "nice", normal portscan on a host - via TCP, UDP or ICMP I am ... This sort of behavior is ... If I try to flood your host with abnormally LARGE ICMP packets endlessly ...
    (Security-Basics)