Re: protocol xx unreachable

From: Alexander Clouter (alex_at_digriz.junk-this.org.uk)
Date: 12/02/04 

Date: Thu, 02 Dec 2004 21:13:55 -0000

On 2004-12-02, Helge Weissig <helgew@grajagan.org> wrote:
>
> I posted a more specific message earlier in comp.security.firewalls
> (Subject: protocol 50 unreachable), but troubleshooting the problem
> further seems to indicate a more general problem. Basically, I have a
> Linux box (2.4.18-24 kernel) with two interfaces set up as a router
> for a private internal network. I use iptables to NAT traffic from the
> inside and to (successfully!) forward specific TCP traffic (determined
> by port numbers) from the external to a host on the internal
> interface. However, I am not able to forward any packages coming in
> through a specific internet protocol (e.g. 47, 50 or 51). In each
> case, a tcpdump on the external interface shows a "protocol xx
> unreachable" ICMP response. Similarily, I am not able to get packages
> of a specific protocol coming from the inside to go to the external
> interface. Again, normal TCP traffic works just fine. This used to
> work before the system rebooted after a power loss... I am lost and
> any help would be greatly appreciated!!
>
You cannot NAT (port based) protocol's 47 (gre), 50 (esp) or 51 (ah), you can
only NAT protocols 6 (tcp) and 17 (udp) (plus probably 'UDP Light') traffic.
The routers in between cannot decode/mangle the packet without the endpoints
complaining bitterly about man-in-the-middle attacks, bad checksums, etc etc.

For IPSec you should look at NAT-T (NAT Tranversal) which more or less wraps
the whole IPSec packet in a UDP one. This means the packet is NAT 'safe'.

The ICMP packets are sent by the source (your router?) as here is some
firewall rule that says REJECT anything that is not 'tcp' or 'udp', probably.
Alternatively it might be only able to traverse the router via NAT which is
impossible anyway, hence the message.

Hopefully this will help you. It looks like the ordering of your firewall
rules is not the same as before, of course its hard to tell. Insert counting
packets throughout your chains and see how far the packet does get, I bet it
gets dropped on the 'nat' table. You probably had before those protocols
hardcoded to be forwarded to a fixed IP inside, but then you would have
issues with 'ah' packets.... :-/

Good luck

Alex

Relevant Pages

  • Re: moved a working network, now it doesnt work
    ... router I can ping the internet with no problem. ... From one of your Linux machines can you ping the FA 0/1 interface (default ... are NOT natting so if CAN ping from the router, ...
    (comp.dcom.sys.cisco)
  • Re: Nmap questions concering my router
    ... has only one interface, ... as having a chunk of space in the computer much like a hotel room. ... >is) directly connected to my router, which i dont set up a NAT yet. ... Which IP address is the packet addressed to? ...
    (comp.security.firewalls)
  • NAT ACL Questions
    ... entries associated with NAT on IOS 12.4 on a 28xx router. ... interface GigabitEthernet0/0 ... indicates that the packet is not NAT-ed.) ...
    (comp.dcom.sys.cisco)
  • Re: IP NAT/PAT
    ... I will ignore the sh nat. ... is never used to send traffic out of the router. ... The router needs to know which interface the packet is ... server from the inside using its external DNS name. ...
    (comp.dcom.sys.cisco)
  • Multihomed router with NAT
    ... I'm working on a router that acts as a captive portal and transparent ... The router has a public administrative interface on em0, ... The "captured" machines are assigned addresses on the 10.100/16 subnet. ... The router's firewall allows certain http traffic through the NAT, ...
    (freebsd-isp)