protocol xx unreachable

Hi,

I posted a more specific message earlier in comp.security.firewalls
(Subject: protocol 50 unreachable), but troubleshooting the problem
further seems to indicate a more general problem. Basically, I have a
Linux box (2.4.18-24 kernel) with two interfaces set up as a router
for a private internal network. I use iptables to NAT traffic from the
inside and to (successfully!) forward specific TCP traffic (determined
by port numbers) from the external to a host on the internal
interface. However, I am not able to forward any packages coming in
through a specific internet protocol (e.g. 47, 50 or 51). In each
case, a tcpdump on the external interface shows a "protocol xx
unreachable" ICMP response. Similarily, I am not able to get packages
of a specific protocol coming from the inside to go to the external
interface. Again, normal TCP traffic works just fine. This used to
work before the system rebooted after a power loss... I am lost and
any help would be greatly appreciated!!

best,
h.

On 2004-12-02, Helge Weissig <(E-Mail Removed)> wrote:
>
> I posted a more specific message earlier in comp.security.firewalls
> (Subject: protocol 50 unreachable), but troubleshooting the problem
> further seems to indicate a more general problem. Basically, I have a
> Linux box (2.4.18-24 kernel) with two interfaces set up as a router
> for a private internal network. I use iptables to NAT traffic from the
> inside and to (successfully!) forward specific TCP traffic (determined
> by port numbers) from the external to a host on the internal
> interface. However, I am not able to forward any packages coming in
> through a specific internet protocol (e.g. 47, 50 or 51). In each
> case, a tcpdump on the external interface shows a "protocol xx
> unreachable" ICMP response. Similarily, I am not able to get packages
> of a specific protocol coming from the inside to go to the external
> interface. Again, normal TCP traffic works just fine. This used to
> work before the system rebooted after a power loss... I am lost and
> any help would be greatly appreciated!!
>
You cannot NAT (port based) protocol's 47 (gre), 50 (esp) or 51 (ah), you can
only NAT protocols 6 (tcp) and 17 (udp) (plus probably 'UDP Light') traffic.
The routers in between cannot decode/mangle the packet without the endpoints
complaining bitterly about man-in-the-middle attacks, bad checksums, etc etc.

For IPSec you should look at NAT-T (NAT Tranversal) which more or less wraps
the whole IPSec packet in a UDP one. This means the packet is NAT 'safe'.

The ICMP packets are sent by the source (your router?) as here is some
firewall rule that says REJECT anything that is not 'tcp' or 'udp', probably.
Alternatively it might be only able to traverse the router via NAT which is
impossible anyway, hence the message.

Hopefully this will help you. It looks like the ordering of your firewall
rules is not the same as before, of course its hard to tell. Insert counting
packets throughout your chains and see how far the packet does get, I bet it
gets dropped on the 'nat' table. You probably had before those protocols
hardcoded to be forwarded to a fixed IP inside, but then you would have
issues with 'ah' packets.... :-/

Good luck

Alex

Alexander Clouter <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> You cannot NAT (port based) protocol's 47 (gre), 50 (esp) or 51 (ah), you can
> only NAT protocols 6 (tcp) and 17 (udp) (plus probably 'UDP Light') traffic.
> The routers in between cannot decode/mangle the packet without the endpoints
> complaining bitterly about man-in-the-middle attacks, bad checksums, etc etc.
>
> For IPSec you should look at NAT-T (NAT Tranversal) which more or less wraps
> the whole IPSec packet in a UDP one. This means the packet is NAT 'safe'.
>
> The ICMP packets are sent by the source (your router?) as here is some
> firewall rule that says REJECT anything that is not 'tcp' or 'udp', probably.
> Alternatively it might be only able to traverse the router via NAT which is
> impossible anyway, hence the message.
>
> Hopefully this will help you. It looks like the ordering of your firewall
> rules is not the same as before, of course its hard to tell. Insert counting
> packets throughout your chains and see how far the packet does get, I bet it
> gets dropped on the 'nat' table. You probably had before those protocols
> hardcoded to be forwarded to a fixed IP inside, but then you would have
> issues with 'ah' packets.... :-/
>
> Good luck
>
> Alex

How can I reinstate the "hardcoded" forwarding to the fixed IP? It's
really all I need and I am using esp only, so I should be fine. What I
still don't understand though is that packets from the inside get
stuck on the internal interface and never make it to the external one
(this is for example doing a ping of a VPN host after my VPN software
claims it has established the IPsec tunnel).

h.

(E-Mail Removed) (Helge Weissig) wrote
news:(E-Mail Removed) om:
> interface. However, I am not able to forward any packages coming in
> through a specific internet protocol (e.g. 47, 50 or 51). In each
> case, a tcpdump on the external interface shows a "protocol xx
> unreachable" ICMP response. Similarily, I am not able to get packages
> of a specific protocol coming from the inside to go to the external
> interface. Again, normal TCP traffic works just fine. This used to
> work before the system rebooted after a power loss... I am lost and
> any help would be greatly appreciated!!

Please,

ifconfig -a
iptables -L -vn
iptables -t nat -L -vn

cat /proc/sys/net/ipv4/ip_forward

lsmod


Regards

.... as mysteriously as it appeared, the problem seems to have resolved
itself. wish I knew though, what it was!!

h.

Helge Weissig wrote:

> Hi,
>
> I posted a more specific message earlier in comp.security.firewalls
> (Subject: protocol 50 unreachable), but troubleshooting the problem
> further seems to indicate a more general problem. Basically, I have a
> Linux box (2.4.18-24 kernel) with two interfaces set up as a router
> for a private internal network. I use iptables to NAT traffic from the
> inside and to (successfully!) forward specific TCP traffic (determined
> by port numbers) from the external to a host on the internal
> interface. However, I am not able to forward any packages coming in
> through a specific internet protocol (e.g. 47, 50 or 51). In each
> case, a tcpdump on the exter
> nal interface shows a "protocol xx
> unreachable" ICMP response. Similarily, I am not able to get packages
> of a specific protocol coming from the inside to go to the external
> interface. Again, normal TCP traffic works just fine. This used to
> work before the system rebooted after a power loss... I am lost and
> any help would be greatly appreciated!!
>
> best,
> h.

These are for VPN Tunneling and encapsulation. They are:
gre 47 GRE # Generic Routing Encapsulation
esp 50 ESP # encapsulating security payload
ah 51 AH # authentication header


-- Michael