Iptables question on forwarded port with a router

Hello,

I have got a question related to iptables.
I'm connecting from my pc (let'a call its ip adress ip_1) to a linksys
router (let's call its ip adress ip_router) who is forwarding a port
xxx to the port 22 to a pc (let's call its ip ip_2).
I can connect through ssh on port xxx to this destination pc but if I
do some operation like top every thing is blocked.

I think this is due to my firewall (on the destination pc) that is
filtering some packets:

[IPTABLES DROP]IN=eth0 OUT= SRC=ip_router DST=ip_2 LEN=576 TOS=0x08
PREC=0xC0 TTL=255 ID=10789 PROTO=ICMP TYPE=3 CODE=4 [SRC=ip_2 DST=ip_1
LEN=1500 TOS=0x08 PREC=0x00 TTL=63 ID=15581 DF PROTO=TCP SPT=22
DPT=44276 WINDOW=1436 RES=0x00 ACK URGP=0 ] MTU=1460

Who can explain this line?
I allow ssh traffic and ping. It seems to be ssh socket encapsulated
in ping??? I really don't understand this line. So, I'm not able to
allow it in my iptables rules.

Thanks

Sylvain

sbannecy <(E-Mail Removed)> writes:

> Hello,
>
> I have got a question related to iptables.
> I'm connecting from my pc (let'a call its ip adress ip_1) to a linksys
> router (let's call its ip adress ip_router) who is forwarding a port
> xxx to the port 22 to a pc (let's call its ip ip_2).
> I can connect through ssh on port xxx to this destination pc but if I
> do some operation like top every thing is blocked.
>
> I think this is due to my firewall (on the destination pc) that is
> filtering some packets:
>
> [IPTABLES DROP]IN=eth0 OUT= SRC=ip_router DST=ip_2 LEN=576 TOS=0x08
> PREC=0xC0 TTL=255 ID=10789 PROTO=ICMP TYPE=3 CODE=4 [SRC=ip_2 DST=ip_1
> LEN=1500 TOS=0x08 PREC=0x00 TTL=63 ID=15581 DF PROTO=TCP SPT=22
> DPT=44276 WINDOW=1436 RES=0x00 ACK URGP=0 ] MTU=1460
>
> Who can explain this line?
> I allow ssh traffic and ping. It seems to be ssh socket encapsulated
> in ping??? I really don't understand this line. So, I'm not able to
> allow it in my iptables rules.

The blocked packet is an ICMP type 3, code 4 packet, being sent from
the router to the destination pc. It is essentially an error message
saying to the destination pc that its destination (which is your pc)
is unreachable because the packet it sent was too big. The packet it
is referring to (in brackets) was from the destination pc's sshd. It
was length 1500, and had the DF (don't fragment) flag set. However,
the MTU (maximum transfer unit) is 1460. Since 1500 is greater than
1460 and the packet can't be fragmented, there is no way to transmit
it.

You need to be able to receive ICMP type 3 messages. Your firewall
shouldn't be blocking them.

Scott
--
Scott Hemphill (E-Mail Removed)
"This isn't flying. This is falling, with style." -- Buzz Lightyear

Thanks for your response. The icmp traffic was already allowed, but
only for new and established state. I added related state (icmp type 3
is considered as related) and everything is working now.

Thanks a lot

Sylvain