Help about iptables and ICMP type 3

Hello there,
I have set a DNAT rule in my server's iptables for port 80 that forwards
all the incoming connections to the port 80 of another client on my LAN
with Apache web server ran.
When Apache is up, that's all right... but when I shutdown Apache,
external clients that try connecting to the port 80, immediately
receives the message "connection refused".

So, in order to avoid this answer, I've tried to correctly set an
iptables rule on my server:

# iptables -t nat -I PREROUTING -p icmp --icmp-type 3 -j DROP

but nothing changes.

So, I've tried:

# iptables -I OUTPUT -p icmp --icmp-type 3 -j DROP

and:

# iptables -I FORWARD -p icmp --icmp-type 3 -j DROP

and the same three rules above with --icmp-type "any"...
....but nothing changes.

The main idea is this:

Before:
client --icmp3--> server --icmp3--> external_client

After:
client --icmp3--> server|DROP| external_client

How can I do?

Thanks in advance,
Odin_Eidolon

Odin_Eidolon wrote:
> Hello there,
> I have set a DNAT rule in my server's iptables for port 80 that forwards
> all the incoming connections to the port 80 of another client on my LAN
> with Apache web server ran.
> When Apache is up, that's all right... but when I shutdown Apache,
> external clients that try connecting to the port 80, immediately
> receives the message "connection refused".
>
> So, in order to avoid this answer, I've tried to correctly set an
> iptables rule on my server:
>
> # iptables -t nat -I PREROUTING -p icmp --icmp-type 3 -j DROP
>
> but nothing changes.
>
> So, I've tried:
>
> # iptables -I OUTPUT -p icmp --icmp-type 3 -j DROP
>
> and:
>
> # iptables -I FORWARD -p icmp --icmp-type 3 -j DROP
>
> and the same three rules above with --icmp-type "any"...
> ...but nothing changes.
>
> The main idea is this:
>
> Before:
> client --icmp3--> server --icmp3--> external_client
>
> After:
> client --icmp3--> server|DROP| external_client
>
> How can I do?
>

What do you think to gain in not telling that the HTTP
server is not available? The host trying to connect
will continue to sens SYNs at timeout intervals instead
of going away with the refusal.

--

Tauno Voipio
tauno voipio (at) iki fi

Tauno Voipio ha scritto:
> Odin_Eidolon wrote:
[cut]
> What do you think to gain in not telling that the HTTP
> server is not available? The host trying to connect
> will continue to sens SYNs at timeout intervals instead
> of going away with the refusal.

Mine was only an example. I've got an experimental server and I want
that all the ports appeares in stealth mode. In order to do this, I have
to lock icmp3 packets that go from a client of my LAN (through the
server) to the internet.
I'm doing this only for gain a better knowledge of network routing and
firewalling.


Waiting for a solution,
Odin_Eidolon

Odin_Eidolon wrote:
> Tauno Voipio ha scritto:
>
>> Odin_Eidolon wrote:
>
> [cut]
>
>> What do you think to gain in not telling that the HTTP
>> server is not available? The host trying to connect
>> will continue to sens SYNs at timeout intervals instead
>> of going away with the refusal.
>
>
> Mine was only an example. I've got an experimental server and I want
> that all the ports appeares in stealth mode. In order to do this, I have
> to lock icmp3 packets that go from a client of my LAN (through the
> server) to the internet.
> I'm doing this only for gain a better knowledge of network routing and
> firewalling.

OK.

Get a book on TCP/IP protocols before continuing, so
you understand the consequences of disabling arbitrary
packets.

My favourite is

W. Richard Stevens, TCP/IP Illustrated

It will explain why fiddling with ICMP has to be made
like porcupine love - very carefully.

--

Tauno Voipio
tauno voipio (at) iki fi